douglasmakey/oauth2-example

logic flaw

Yonneh0 opened this issue 2 years ago · 1 comments

Yonneh0 commented 2 years ago

I realize this is old code but I felt like I should give a heads up, incase anyone else comes across this.

The whole cookie portion accomplishes nothing- it just verifies the cookie from the client, against the state, that also comes from the client. It may add some obfuscation, but I don't believe it is achieving the intended result.

my solution, was:

keep a global map[string]struct{exp time.Time,state string}, with the key being the client's IP address
lock the map with a sync.Mutex at every read/write
periodically (every few hours, days, w/e) iterate the map, and delete expired matches

however, after some quick googling, a far better version of my solution exists- https://github.com/letsencrypt/boulder/blob/main/nonce/nonce.go

oauth2-example/handlers/oauth_google.go

Line 45 in b19e764

if r.FormValue("state") != oauthState.Value {