krgamestudios/auth-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Patched a security hole in the validation hooks

Browse Source
This commit is contained in:
Kayne Ruse
2022-06-15 23:33:06 +01:00
parent 8a5957d6b4
commit 89b2b6ed7b
3 changed files with 43 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.envdev
+4 -1
View File
@@ -29,4 +29,7 @@ DB_LOGGING=
SECRET_ACCESS=access SECRET_ACCESS=access
# Make sure this value is kept secret # Make sure this value is kept secret
SECRET_REFRESH=refresh SECRET_REFRESH=refresh
# Post-signup hook JSON array (MUST include http:// or https://)
HOOK_POST_VALIDATION_ARRAY=
README.md
+4 -2
View File
@@ -28,8 +28,10 @@ Content-Type: application/json
//DOCS: Used for validating the email address specified above //DOCS: Used for validating the email address specified above
GET /auth/validation?username=example&token=12345678 GET /auth/validation?username=example&token=12345678
//DOCS: If the environment variable HOOK_POST_VALIDATION is set to a URL, then the server will send a GET message to that URL with the newly created account's index //DOCS: If the environment variable HOOK_POST_VALIDATION_ARRAY is set to a JSON array of valid URLs, then the server will send a GET message to each URL with the newly created account's index
GET https://{HOOK_POST_VALIDATION}?accountIndex={index} //DOCS: The GET requests will have a JWT authorization header
HOOK_POST_VALIDATION_ARRAY=["http://example.com", "http://example2.com"]
GET {HOOK_POST_VALIDATION_ARRAY[i]}?accountIndex={index}
### ###
server/auth/validation.js
+35 -6
View File
@@ -1,5 +1,6 @@
const { pendingSignups, accounts } = require('../database/models'); const { pendingSignups, accounts } = require('../database/models');
const fetch = require('node-fetch'); const fetch = require('node-fetch');
const jwt = require('jsonwebtoken');
//auth/validation //auth/validation
const route = async (req, res) => { const route = async (req, res) => {
@@ -38,14 +39,42 @@ const route = async (req, res) => {
res.status(200).send('Validation succeeded!'); res.status(200).send('Validation succeeded!');
//post-validation hook //post-validation hook
if (process.env.HOOK_POST_VALIDATION) { if (process.env.HOOK_POST_VALIDATION_ARRAY) {
const probe = await fetch(`https://${process.env.HOOK_POST_VALIDATION}?accountIndex=${account.index}`); try {
hooks = JSON.parse(process.env.HOOK_POST_VALIDATION_ARRAY);
if (!probe.ok) { if (!Array.isArray(hooks)) {
console.error('Could not probe the post validation hook'); throw 'isArray() check failed';
}
//authenticate the hooks
const bearer = jwt.sign({ type: 'hook authentication' }, process.env.SECRET_ACCESS, { expiresIn: '5m', issuer: 'auth' });
//promise for each given hook
const promises = hooks.map(async hook => {
if (typeof hook != 'string') {
throw 'hook is not a string';
}
const probe = await fetch(`${hook}?accountIndex=${account.index}`, {
method: 'GET',
headers: {
'Authorization': `Bearer ${bearer}`
}
});
if (!probe.ok) {
throw `Could not probe the post validation hook: ${hook}`;
}
//discard the result
});
Promise.all(promises);
}
catch(e) {
console.error('HOOK_POST_VALIDATION_ARRAY is not a valid array of strings in JSON format: ' + e);
} }
//discard the result
} }
}; };