-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added simple PKCE and state checks utils, used PKCE and state checks in auth0 #12
base: main
Are you sure you want to change the base?
Conversation
The other providers could definitly benefit from a universal util that allows state checks and/or a pkce check. |
You should probably use |
I would indeed leverage https://github.com/unjs/uncrypto Also here we use |
Tanks for the feedback 👍, I updated the checks to use I also moved the logic in a separate util file so that other providers can simply call
to get extra query param to be passed in the authorization request and
to verify the checks and get back the code_verifier if applicable. |
# Conflicts: # src/runtime/server/lib/oauth/auth0.ts
src/runtime/server/utils/security.ts
Outdated
if (checks?.includes('pkce')) { | ||
const pkceVerifier = generateCodeVerifier() | ||
const pkceChallenge = await pkceCodeChallenge(pkceVerifier) | ||
console.log('pkceVerifier', pkceVerifier) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
console.log leftover
src/runtime/server/utils/security.ts
Outdated
console.log('pkceChallenge', pkceChallenge) | ||
res['code_challenge'] = pkceChallenge | ||
res['code_challenge_method'] = 'S256' | ||
setCookie(event, 'nuxt-auth-util-verifier', pkceVerifier, { maxAge: 60 * 15, secure: true, httpOnly: true, sameSite: 'lax' }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the cookie settings should configurable or reuse the cookie settings from the module
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't reuse the cookie settings because they were under the session key, I don't know if it would be confusing to reuse that or not. But I agree that a shared cookie config somewhere would be nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it would be a bit confusing. Maybe an optional config for pkce cookie?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a cookie setting (runtimeConfig), under nuxtAuthConfig.security.cookie
I would like to build upon this PR and add a generic OIDC provider. I already started but these utils would be super helpful for supporting pkce flow. |
# Conflicts: # src/runtime/server/lib/oauth/auth0.ts
src/runtime/server/utils/security.ts
Outdated
if (!state || !stateInCookie) { | ||
const error = createError({ | ||
statusCode: 401, | ||
message: 'Auth0 login failed: state is missing' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This message is still specific to Auth0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, I updated this
src/runtime/server/utils/security.ts
Outdated
if (state !== stateInCookie) { | ||
const error = createError({ | ||
statusCode: 401, | ||
message: 'Auth0 login failed: state does not match' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This message is still specific to Auth0
Hey @Azurency,
|
@itpropro As @Azurency states in the PR description: @itpropro I think it would be great if you could improve the implementation. |
Hey, |
Thanks @itpropro I was exactly getting confused by the same issue all along while reading code changes and discussion. Yes, PKCE is meant to be used by SPAs since they cannot have secret keys. All the security comes by providing correct What I would suggest is adding those utils on client side, there by allowing this module to work with SPAs and |
I don't if that's something that something in the scope of a "Minimalist Authentication module" but I added simple PKCE and state checks in the auth0 provider for extra security.
The crypto methods and check logic could easily be extracted and reused in other oauth provider. I think that Google and Spotify accept the PKCE flow and Google and Twitch both accept a state check.