cardosofelipe/fast-next-template
Template
1
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Enhance OAuth security and state validation

Browse Source 
- Implemented stricter OAuth security measures, including CSRF protection via state parameter validation and redirect_uri checks.
- Updated OAuth models to support timezone-aware datetime comparisons, replacing deprecated `utcnow`.
- Enhanced logging for malformed Basic auth headers during token, introspect, and revoke requests.
- Added allowlist validation for OAuth provider domains to prevent open redirect attacks.
- Improved nonce validation for OpenID Connect tokens, ensuring token integrity during Google provider flows.
- Updated E2E and unit tests to cover new security features and expanded OAuth state handling scenarios.
This commit is contained in:
Felipe Cardoso
2025-11-25 23:50:43 +01:00
parent 7716468d72
commit 400d6f6f75
14 changed files with 246 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
frontend/src/app/[locale]/(auth)/auth/callback/[provider]/page.tsx
View File

@@ -53,6 +53,18 @@ export default function OAuthCallbackPage() {
return;
}
// SECURITY: Validate state parameter against stored value (CSRF protection)
// This prevents cross-site request forgery attacks
const storedState = sessionStorage.getItem('oauth_state');
if (!storedState || storedState !== state) {
// Clean up stored state on mismatch
sessionStorage.removeItem('oauth_state');
sessionStorage.removeItem('oauth_mode');
sessionStorage.removeItem('oauth_provider');
setError(t('stateMismatch') || 'Invalid OAuth state. Please try again.');
return;
}
hasProcessed.current = true;
// Process the OAuth callback