Skip to content
This repository was archived by the owner on Mar 3, 2020. It is now read-only.

Commit 7d782d3

Browse files
justinwrayjustinwray
authored
Google OAuth Security Update (#591)
* Google OAuth Security Update * The Google OAuth process now sets a CSRF token. * Added Secure Only and HTTP Only to the Integration cookie.
1 parent 780071b commit 7d782d3

File tree

1 file changed

+32
-3
lines changed

1 file changed

+32
-3
lines changed

src/data/google_oauth.php

Lines changed: 32 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,11 @@
77
SessionUtils::enforceLogin();
88

99
if (Configuration::genGoogleOAuthFileExists()) {
10+
11+
$code = idx(Utils::getGET(), 'code', false);
12+
$error = idx(Utils::getGET(), 'error', false);
13+
$state = idx(Utils::getGET(), 'state', false);
14+
1015
$google_oauth_file = Configuration::genGoogleOAuthFile();
1116
$client = new Google_Client();
1217
$client->setAuthConfig($google_oauth_file);
@@ -16,8 +21,32 @@
1621
'https://'.$_SERVER['HTTP_HOST'].'/data/google_oauth.php',
1722
);
1823

19-
if (isset($_GET['code'])) {
20-
$client->authenticate($_GET['code']);
24+
$integration_csrf_token = base64_encode(random_bytes(100));
25+
// Cookie is sent with headers, and therefore not set until after the PHP code executes - this allows us to reset the cookie on each request without clobbering the state
26+
setcookie(
27+
'integration_csrf_token',
28+
strval($integration_csrf_token),
29+
0,
30+
'/data/',
31+
must_have_string(Utils::getSERVER(), 'SERVER_NAME'),
32+
true,
33+
true,
34+
);
35+
$client->setState(strval($integration_csrf_token));
36+
37+
if ($code !== false) {
38+
$integration_csrf_token = /* HH_IGNORE_ERROR[2050] */
39+
idx($_COOKIE, 'integration_csrf_token', false);
40+
if (strval($integration_csrf_token) === '' ||
41+
strval($state) === '' ||
42+
strval($integration_csrf_token) != strval($state)) {
43+
$code = false;
44+
$error = false;
45+
}
46+
}
47+
48+
if ($code !== false) {
49+
$client->authenticate($code);
2150
$access_token = $client->getAccessToken();
2251
$oauth_client = new Google_Service_Oauth2($client);
2352
$profile = $oauth_client->userinfo->get();
@@ -49,7 +78,7 @@
4978
'"';
5079
}
5180
$javascript_close = "window.open('', '_self', ''); window.close();";
52-
} else if (isset($_GET['error'])) {
81+
} else if ($error === true) {
5382
$message =
5483
tr(
5584
'There was an error connecting your account to Google, please try again later.',

0 commit comments

Comments
 (0)