From bbec3d87a356cd6401ba16e47554780a1ecd8ced Mon Sep 17 00:00:00 2001 From: vnugent Date: Tue, 9 Jan 2024 20:19:35 -0500 Subject: Add path verification to claim --- .../src/ClientClaimManager.cs | 15 +++++++++------ .../src/LoginClaim.cs | 3 +++ .../src/SocialOauthBase.cs | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) (limited to 'plugins/VNLib.Plugins.Essentials.Auth.Social/src') diff --git a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/ClientClaimManager.cs b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/ClientClaimManager.cs index 0c4f9ba..d078964 100644 --- a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/ClientClaimManager.cs +++ b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/ClientClaimManager.cs @@ -29,13 +29,12 @@ using VNLib.Hashing; using VNLib.Hashing.IdentityUtility; using VNLib.Utils; using VNLib.Utils.Memory; -using VNLib.Utils.Extensions; using VNLib.Plugins.Essentials.Accounts; using VNLib.Plugins.Essentials.Extensions; namespace VNLib.Plugins.Essentials.Auth.Social { - internal sealed record class ClientClaimManager(ICookieController Cookies) + internal sealed record class ClientClaimManager(ICookieController Cookies, string Path) { const string SESSION_SIG_KEY_NAME = "soa.sig"; const int SIGNING_KEY_SIZE = 32; @@ -75,10 +74,11 @@ namespace VNLib.Plugins.Essentials.Auth.Social } //Recover the clam from the jwt - claim = jwt.GetPayload(); + claim = jwt.GetPayload(Statics.SR_OPTIONS)!; - //Verify the expiration time - return claim.ExpirationSeconds > entity.RequestedTimeUtc.ToUnixTimeSeconds(); + //Verify the expiration time and path incase the wrong endpoint was called + return string.Equals(claim.Path, Path, StringComparison.OrdinalIgnoreCase) + && claim.ExpirationSeconds > entity.RequestedTimeUtc.ToUnixTimeSeconds(); } catch (FormatException) { @@ -105,6 +105,9 @@ namespace VNLib.Plugins.Essentials.Auth.Social //Setup Jwt using JsonWebToken jwt = new(); + //Set the claim's path to verify later + claim.Path = Path; + //Write claim body, we dont need a header jwt.WritePayload(claim, Statics.SR_OPTIONS); @@ -120,7 +123,7 @@ namespace VNLib.Plugins.Essentials.Auth.Social entity.Session[SESSION_SIG_KEY_NAME] = VnEncoding.ToBase64UrlSafeString(sigKey, false); //Clear the signing key - MemoryUtil.InitializeBlock(sigKey.AsSpan()); + MemoryUtil.InitializeBlock(sigKey); } } } diff --git a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginClaim.cs b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginClaim.cs index 70acff0..30a51fa 100644 --- a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginClaim.cs +++ b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginClaim.cs @@ -51,6 +51,9 @@ namespace VNLib.Plugins.Essentials.Auth.Social [JsonPropertyName("clientid")] public string? ClientId { get; set; } + [JsonPropertyName("path")] + public string? Path { get; set; } + public void ComputeNonce(int nonceSize) { diff --git a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/SocialOauthBase.cs b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/SocialOauthBase.cs index 52da637..5c2ffd6 100644 --- a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/SocialOauthBase.cs +++ b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/SocialOauthBase.cs @@ -112,7 +112,7 @@ namespace VNLib.Plugins.Essentials.Auth.Social Path = Path }; - _claims = new(cookies); + _claims = new(cookies, Config.EndpointPath); //Define the site adapter SiteAdapter = new(); -- cgit