V4 feature/provider state (#95)

* fix: Use PKCE in Cognito provider (#82)

* fix: Use PKCE in Google provider (#83)

* fix: Use PKCE in OIDC provider (#86)

* fix: Use PKCE in OIDC provider

* fix: ensure state parameter is always appended in OIDC provider

* fix: Add state param in Google provider (#90)

* refactor: Refactor URL construction in Google provider

* fix: Add state param in Google provider

* refactor: generating random bytes

* fix: Add state param in Cognito provider (#88)

* refactor: Refactor URL construction in Cognito provider

* fix: Add state param in Cognito provider

* fix: Add state param in Azure AD provider (#89)

* refactor: Refactor URL construction in Azure AD provider

* fix: Ensure email property is set for Azure AD user in sign-in callback

* fix: Add state param in Azure AD provider

* fix: Add state param in OIDC provider (#91)

* fix require

---------

Co-authored-by: Takenori Nakagawa <[email protected]>

Author: yasudacloud

server/controllers/azuread.js

@@ -1,7 +1,8 @@
 "use strict";
 const axios = require("axios");
-const { v4 } = require("uuid");
+const {v4} = require("uuid");
 const pkceChallenge = require("pkce-challenge").default;
+const {Buffer} = require('buffer');
 
 const configValidation = () => {
   const config = strapi.config.get("plugin.strapi-plugin-sso");
@@ -30,7 +31,6 @@ const OAUTH_RESPONSE_TYPE = "code";
 
 async function azureAdSignIn(ctx) {
   const config = configValidation();
-  const redirectUri = encodeURIComponent(config["AZUREAD_OAUTH_REDIRECT_URI"]);
   const endpoint = OAUTH_ENDPOINT(config["AZUREAD_TENANT_ID"]);
 
   // Generate code verifier and code challenge
@@ -40,7 +40,18 @@ async function azureAdSignIn(ctx) {
   // Store the code verifier in the session
   ctx.session.codeVerifier = codeVerifier;
 
-  const url = `${endpoint}?client_id=${config["AZUREAD_OAUTH_CLIENT_ID"]}&redirect_uri=${redirectUri}&scope=${config["AZUREAD_SCOPE"]}&response_type=${OAUTH_RESPONSE_TYPE}&code_challenge=${codeChallenge}&code_challenge_method=S256`;
+  const state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
+  ctx.session.oidcState = state;
+
+  const params = new URLSearchParams();
+  params.append('client_id', config['AZUREAD_OAUTH_CLIENT_ID']);
+  params.append('redirect_uri', config['AZUREAD_OAUTH_REDIRECT_URI']);
+  params.append('scope', config['AZUREAD_SCOPE']);
+  params.append('response_type', OAUTH_RESPONSE_TYPE);
+  params.append('code_challenge', codeChallenge);
+  params.append('code_challenge_method', 'S256');
+  params.append('state', state);
+  const url = `${endpoint}?${params.toString()}`;
   ctx.set("Location", url);
   return ctx.send({}, 302);
 }
@@ -55,6 +66,9 @@ async function azureAdSignInCallback(ctx) {
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`));
   }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService.renderSignUpError(`Invalid state`))
+  }
 
   const params = new URLSearchParams();
   params.append("code", ctx.query.code);
@@ -79,6 +93,10 @@ async function azureAdSignInCallback(ctx) {
       },
     });
 
+    if (!userResponse.data.email) {
+      throw new Error('Email address is not set. Please set email property to the Azure AD user.');
+    }
+
     const dbUser = await userService.findOneByEmail(userResponse.data.email);
     let activateUser;
     let jwtToken;

server/controllers/cognito.js

@@ -1,6 +1,8 @@
 'use strict';
 const axios = require("axios");
 const {v4} = require('uuid');
+const pkceChallenge = require("pkce-challenge").default;
+const {Buffer} = require('buffer');
 
 const configValidation = () => {
   const config = strapi.config.get('plugin.strapi-plugin-sso')
@@ -23,14 +25,32 @@ const OAUTH_USER_INFO_ENDPOINT = (domain, region) => {
   return `https://${domain}.auth.${region}.amazoncognito.com/oauth2/userInfo`
 }
 const OAUTH_GRANT_TYPE = 'authorization_code'
-const OAUTH_SCOPE = encodeURIComponent('openid email profile')
+const OAUTH_SCOPE = 'openid email profile'
 const OAUTH_RESPONSE_TYPE = 'code'
 
 async function cognitoSignIn(ctx) {
   const config = configValidation()
-  const redirectUri = encodeURIComponent(config['COGNITO_OAUTH_REDIRECT_URI'])
   const endpoint = OAUTH_ENDPOINT(config['COGNITO_OAUTH_DOMAIN'], config['COGNITO_OAUTH_REGION'])
-  const url = `${endpoint}?client_id=${config['COGNITO_OAUTH_CLIENT_ID']}&redirect_uri=${redirectUri}&scope=${OAUTH_SCOPE}&response_type=${OAUTH_RESPONSE_TYPE}`
+
+  // Generate code verifier and code challenge
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } =
+    pkceChallenge();
+
+  // Store the code verifier in the session
+  ctx.session.codeVerifier = codeVerifier;
+
+  const state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
+  ctx.session.oidcState = state;
+
+  const params = new URLSearchParams();
+  params.append('client_id', config['COGNITO_OAUTH_CLIENT_ID']);
+  params.append('redirect_uri', config['COGNITO_OAUTH_REDIRECT_URI']);
+  params.append('scope', OAUTH_SCOPE);
+  params.append('response_type', OAUTH_RESPONSE_TYPE);
+  params.append('code_challenge', codeChallenge);
+  params.append('code_challenge_method', 'S256');
+  params.append('state', state);
+  const url = `${endpoint}?${params.toString()}`
   ctx.set('Location', url)
   return ctx.send({}, 302)
 }
@@ -45,6 +65,9 @@ async function cognitoSignInCallback(ctx) {
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`))
   }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService.renderSignUpError(`Invalid state`))
+  }
 
   const params = new URLSearchParams();
   params.append('code', ctx.query.code);
@@ -53,6 +76,9 @@ async function cognitoSignInCallback(ctx) {
   params.append('redirect_uri', config['COGNITO_OAUTH_REDIRECT_URI']);
   params.append('grant_type', OAUTH_GRANT_TYPE);
 
+  // Include the code verifier from the session
+  params.append("code_verifier", ctx.session.codeVerifier);
+
   try {
     const tokenEndpoint = OAUTH_TOKEN_ENDPOINT(config['COGNITO_OAUTH_DOMAIN'], config['COGNITO_OAUTH_REGION'])
     const userInfoEndpoint = OAUTH_USER_INFO_ENDPOINT(config['COGNITO_OAUTH_DOMAIN'], config['COGNITO_OAUTH_REGION'])

server/controllers/google.js

@@ -1,5 +1,7 @@
 const axios = require("axios");
 const {v4} = require('uuid');
+const pkceChallenge = require("pkce-challenge").default;
+const {Buffer} = require('buffer');
 
 const configValidation = () => {
   const config = strapi.config.get('plugin.strapi-plugin-sso')
@@ -26,10 +28,28 @@ const OAUTH_SCOPE = 'https://www.googleapis.com/auth/userinfo.email https://www.
  */
 async function googleSignIn(ctx) {
   const config = configValidation()
-  const redirectUri = encodeURIComponent(config['GOOGLE_OAUTH_REDIRECT_URI'])
-  const url = `${OAUTH_ENDPOINT}?client_id=${config['GOOGLE_OAUTH_CLIENT_ID']}&redirect_uri=${redirectUri}&scope=${OAUTH_SCOPE}&response_type=${OAUTH_RESPONSE_TYPE}`
-  ctx.set('Location', url)
-  return ctx.send({}, 302)
+
+  // Generate code verifier and code challenge
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } =
+    pkceChallenge();
+
+  // Store the code verifier in the session
+  ctx.session.codeVerifier = codeVerifier;
+
+  const state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
+  ctx.session.oidcState = state;
+
+  const params = new URLSearchParams();
+  params.append('client_id', config['GOOGLE_OAUTH_CLIENT_ID']);
+  params.append('redirect_uri', config['GOOGLE_OAUTH_REDIRECT_URI']);
+  params.append('scope', OAUTH_SCOPE);
+  params.append('response_type', OAUTH_RESPONSE_TYPE);
+  params.append('code_challenge', codeChallenge);
+  params.append('code_challenge_method', 'S256');
+  params.append('state', state);
+  const url = `${OAUTH_ENDPOINT}?${params.toString()}`;
+  ctx.set('Location', url);
+  return ctx.send({}, 302);
 }
 
 /**
@@ -48,6 +68,9 @@ async function googleSignInCallback(ctx) {
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`))
   }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService.renderSignUpError(`Invalid state`))
+  }
 
   const params = new URLSearchParams();
   params.append('code', ctx.query.code);
@@ -56,6 +79,9 @@ async function googleSignInCallback(ctx) {
   params.append('redirect_uri', config['GOOGLE_OAUTH_REDIRECT_URI']);
   params.append('grant_type', OAUTH_GRANT_TYPE);
 
+  // Include the code verifier from the session
+  params.append("code_verifier", ctx.session.codeVerifier);
+
   try {
     const response = await httpClient.post(OAUTH_TOKEN_ENDPOINT, params, {
       headers: {

server/controllers/oidc.js

@@ -1,5 +1,7 @@
 const axios = require("axios");
-const { v4 } = require('uuid');
+const {v4} = require('uuid');
+const pkceChallenge = require("pkce-challenge").default;
+const {Buffer} = require('buffer');
 
 const configValidation = () => {
   const config = strapi.config.get('plugin.strapi-plugin-sso')
@@ -15,12 +17,32 @@ const configValidation = () => {
 }
 
 const oidcSignIn = async (ctx) => {
-  const { state } = ctx.query;
+  let { state } = ctx.query;
   const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
 
-  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?response_type=code&client_id=${OIDC_CLIENT_ID}&redirect_uri=${OIDC_REDIRECT_URI}&scope=${OIDC_SCOPES}&state=${state}`;
+  // Generate code verifier and code challenge
+  const { code_verifier: codeVerifier, code_challenge: codeChallenge } =
+    pkceChallenge();
 
-  ctx.redirect(authorizationUrl);
+  // Store the code verifier in the session
+  ctx.session.codeVerifier = codeVerifier;
+
+  if (!state) {
+    state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
+  }
+  ctx.session.oidcState = state;
+
+  const params = new URLSearchParams();
+  params.append('response_type', 'code');
+  params.append('client_id', OIDC_CLIENT_ID);
+  params.append('redirect_uri', OIDC_REDIRECT_URI);
+  params.append('scope', OIDC_SCOPES);
+  params.append('code_challenge', codeChallenge);
+  params.append('code_challenge_method', 'S256');
+  params.append('state', state);
+  const authorizationUrl = `${OIDC_AUTHORIZATION_ENDPOINT}?${params.toString()}`;
+  ctx.set('Location', authorizationUrl);
+  return ctx.send({}, 302);
 };
 
 const oidcSignInCallback = async (ctx) => {
@@ -34,6 +56,9 @@ const oidcSignInCallback = async (ctx) => {
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`))
   }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService.renderSignUpError(`Invalid state`))
+  }
 
   const params = new URLSearchParams();
   params.append('code', ctx.query.code);
@@ -42,6 +67,9 @@ const oidcSignInCallback = async (ctx) => {
   params.append('redirect_uri', config['OIDC_REDIRECT_URI']);
   params.append('grant_type', config['OIDC_GRANT_TYPE']);
 
+  // Include the code verifier from the session
+  params.append("code_verifier", ctx.session.codeVerifier);
+
   try {
     const response = await httpClient.post(config['OIDC_TOKEN_ENDPOINT'], params, {
       headers: {