Update callback url check

Co-authored-by: Denis Arnst <git@sapd.eu>
2025-08-11 09:13:49 -04:00 · 2025-08-10 17:08:25 -05:00 · 2025-08-10 17:08:25 -05:00 · 99a3867ce9
commit 99a3867ce9
parent 2116f60133
3 changed files with 64 additions and 3 deletions
--- a/server/Auth.js
+++ b/server/Auth.js
@ -213,6 +213,7 @@ class Auth {
   * @param {Request} req
   * @param {Response} res
   * @param {string} authMethod - The authentication method, default is 'local'.
+   * @returns {Object|null} - Returns error object if validation fails, null if successful
   */
  paramsToCookies(req, res, authMethod = 'local') {
    const TWO_MINUTES = 120000 // 2 minutes in milliseconds
@ -227,13 +228,23 @@ class Auth {

      // Validate and store the callback URL
      if (!callback) {
-        return res.status(400).send({ message: 'No callback parameter' })
+        res.status(400).send({ message: 'No callback parameter' })
+        return { error: 'No callback parameter' }
      }
+
+      // Security: Validate callback URL is same-origin only
+      if (!this.oidcAuthStrategy.isValidWebCallbackUrl(callback, req)) {
+        Logger.warn(`[Auth] Rejected invalid callback URL: ${callback}`)
+        res.status(400).send({ message: 'Invalid callback URL - must be same-origin' })
+        return { error: 'Invalid callback URL - must be same-origin' }
+      }
+
      res.cookie('auth_cb', callback, { maxAge: TWO_MINUTES, httpOnly: true })
    }

    // Store the authentication method for long
    res.cookie('auth_method', authMethod, { maxAge: 1000 * 60 * 60 * 24 * 365 * 10, httpOnly: true })
+    return null
  }

  /**
@ -254,7 +265,6 @@ class Auth {
      res.json(userResponse)
    } else {
      // UI request -> check if we have a callback url
-      // TODO: do we want to somehow limit the values for auth_cb?
      if (req.cookies.auth_cb) {
        let stateQuery = req.cookies.auth_state ? `&state=${req.cookies.auth_state}` : ''
        // UI request -> redirect to auth_cb url and send the jwt token as parameter
@ -350,7 +360,11 @@ class Auth {
        return res.status(authorizationUrlResponse.status).send(authorizationUrlResponse.error)
      }

-      this.paramsToCookies(req, res, authorizationUrlResponse.isMobileFlow ? 'openid-mobile' : 'openid')
+      // Check if paramsToCookies sent a response (e.g., due to invalid callback URL)
+      const cookieResult = this.paramsToCookies(req, res, authorizationUrlResponse.isMobileFlow ? 'openid-mobile' : 'openid')
+      if (cookieResult && cookieResult.error) {
+        return // Response already sent by paramsToCookies
+      }

      res.redirect(authorizationUrlResponse.authorizationUrl)
    })
--- a/server/Server.js
+++ b/server/Server.js
@ -229,6 +229,10 @@ class Server {
        res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
      }

+      // Security: Prevent referrer leakage to protect against token exposure
+      // Using 'no-referrer' to completely prevent token leakage in referer headers
+      res.setHeader('Referrer-Policy', 'no-referrer')
+
      /**
       * @temporary
       * This is necessary for the ebook & cover API endpoint in the mobile apps
--- a/server/auth/OidcAuthStrategy.js
+++ b/server/auth/OidcAuthStrategy.js
@ -483,6 +483,49 @@ class OidcAuthStrategy {
      res.status(500).send('Internal Server Error')
    }
  }
+
+  /**
+   * Validates if a callback URL is safe for redirect (same-origin only)
+   * @param {string} callbackUrl - The callback URL to validate
+   * @param {Request} req - Express request object to get current host
+   * @returns {boolean} - True if the URL is safe (same-origin), false otherwise
+   */
+  isValidWebCallbackUrl(callbackUrl, req) {
+    if (!callbackUrl) return false
+
+    try {
+      // Handle relative URLs - these are always safe if they start with router base path
+      if (callbackUrl.startsWith('/')) {
+        // Only allow relative paths that start with the router base path
+        if (callbackUrl.startsWith(global.RouterBasePath + '/')) {
+          return true
+        }
+        Logger.warn(`[OidcAuth] Rejected callback URL outside router base path: ${callbackUrl}`)
+        return false
+      }
+
+      // For absolute URLs, ensure they point to the same origin
+      const callbackUrlObj = new URL(callbackUrl)
+      const currentProtocol = req.secure || req.get('x-forwarded-proto') === 'https' ? 'https' : 'http'
+      const currentHost = req.get('host')
+
+      // Check if protocol and host match exactly
+      if (callbackUrlObj.protocol === currentProtocol + ':' && callbackUrlObj.host === currentHost) {
+        // Additional check: ensure path starts with router base path
+        if (callbackUrlObj.pathname.startsWith(global.RouterBasePath + '/')) {
+          return true
+        }
+        Logger.warn(`[OidcAuth] Rejected same-origin callback URL outside router base path: ${callbackUrl}`)
+        return false
+      }
+
+      Logger.warn(`[OidcAuth] Rejected callback URL to different origin: ${callbackUrl} (expected ${currentProtocol}://${currentHost})`)
+      return false
+    } catch (error) {
+      Logger.error(`[OidcAuth] Invalid callback URL format: ${callbackUrl}`, error)
+      return false
+    }
+  }
 }

 module.exports = OidcAuthStrategy