Added a state parameter for all OAuth requests

81443bf8 · Eric Perrino · 913f17ee · 81443bf8 · 81443bf8
Commit 81443bf8 authored Oct 08, 2016 by Eric Perrino
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 1 deletions

pkg/api/login_oauth.go
+19 -1

pkg/middleware/session.go
+1 -0

No files found.
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -3,6 +3,8 @@ package api
 import (
 	"errors"
 	"fmt"
+	"crypto/rand"
+	"encoding/base64"

 	"golang.org/x/oauth2"

@@ -14,6 +16,12 @@ import (
 	"github.com/grafana/grafana/pkg/social"
 )

+func GenStateString() string {
+        rnd := make([]byte, 32)
+        rand.Read(rnd)
+        return base64.StdEncoding.EncodeToString(rnd)
+}
+
 func OAuthLogin(ctx *middleware.Context) {
 	if setting.OAuthService == nil {
 		ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil)
@@ -29,7 +37,17 @@ func OAuthLogin(ctx *middleware.Context) {

 	code := ctx.Query("code")
 	if code == "" {
-		ctx.Redirect(connect.AuthCodeURL("", oauth2.AccessTypeOnline))
+		state := GenStateString()
+		ctx.Session.Set(middleware.SESS_KEY_OAUTH_STATE, state)
+		ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
+		return
+	}
+
+	// verify state string
+	savedState := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	queryState := ctx.Query("state")
+	if savedState != queryState {
+		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
 		return
 	}


--- a/pkg/middleware/session.go
+++ b/pkg/middleware/session.go
@@ -13,6 +13,7 @@ import (

 const (
 	SESS_KEY_USERID = "uid"
+	SESS_KEY_OAUTH_STATE = "state"
 )

 var sessionManager *session.Manager