Skip to content

fix(auth): prevent client-supplied auth params from overriding reserved OIDC fields#158

Open
itpropro wants to merge 1 commit into
mainfrom
codex/propose-fix-for-oidc-vulnerability
Open

fix(auth): prevent client-supplied auth params from overriding reserved OIDC fields#158
itpropro wants to merge 1 commit into
mainfrom
codex/propose-fix-for-oidc-vulnerability

Conversation

@itpropro

Copy link
Copy Markdown
Owner

Motivation

  • The login handler accepted client-supplied query parameters listed in allowedClientAuthParameters and forwarded them after server-controlled fields, allowing forwarded names (e.g. redirectUri, responseType, clientId, codeChallenge, scope) to override critical OIDC authorization parameters.

Description

  • Added a reservedAuthParameters denylist in src/runtime/server/handler/login.get.ts and skip any allowedClientAuthParameters that match these reserved names to prevent override of protocol-sensitive fields.
  • The login handler still forwards non-reserved, allowlisted client parameters unchanged so existing non-sensitive custom forwarding is preserved.
  • Updated provider option documentation in src/runtime/server/utils/provider.ts to state that reserved OAuth/OIDC parameters are always blocked.

Testing

  • Ran pnpm -s vitest run test/unit/utils/config.test.ts against the modified code and the run failed due to test environment configuration (the repository tsconfig.json extends ./.nuxt/tsconfig.json which is not generated in this environment), so automated unit tests could not be completed here.
  • No other automated tests were added or executed in this environment; changes are minimal and limited to the login handler input filtering logic.

Codex Task

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d5d71fa149

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +69 to +70
if (reservedAuthParameters.has(param)) {
return

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Normalize reserved auth param names before filtering

The new denylist check only compares the raw allowedClientAuthParameters entry against camelCase names, so a reserved field can still be forwarded and override server values when configured in snake_case (for example response_type, client_id, redirect_uri, code_challenge). Because client params are later passed through convertObjectToSnakeCase(...) and merged after the server-built query, this bypass reintroduces the override path this commit is intended to close whenever a project allowlists snake_case keys.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant