Add state support to PKCE implementation #2114
Open
+12
−11
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue Ref
1003
Description
State is a recommended part of the PKCE Oauth2 spec, but it is required by our identity provider (Okta). This implements support for state in a fairly straight-forward manner. We use the unique session id from the Oauth2 class (which might be the electron store?) and we make that URL safe and pass it along as a query param when the PKCE checkbox is enabled in the Oauth2 authorization code flow.
I implemented one more fix in the oauth2 helper file, also due to okta. The code previously had a conditional that checked for a code URL parameter when in the redirect flow, but okta returned that parameter before the final redirect was reached. That meant I changed the logic to say if we're at the callback url and we see this code query parameter, then execute the rest of the code. This should be backward compatible with anything else since only the PKCE flow uses this function and callback url is a requirement of the PKCE flow.
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 for more information on state
This pull request includes changes to the
packages/bruno-electron/src/ipc/network
directory that focus on improving the OAuth2 authentication process. The key changes involve enhancing the URL redirect validation in theauthorizeUserInWindow
function, simplifying the hash generation process in thegenerateCodeVerifier
function, and adding a unique state parameter in thegetOAuth2AuthorizationCode
function.URL Redirect Validation:
packages/bruno-electron/src/ipc/network/authorize-user-in-window.js
: TheonWindowRedirect
function now checks if the URL includes thecallbackUrl
before checking for an authorization code. This change ensures that thefinalUrl
is always thecallbackUrl
.Hash Generation:
packages/bruno-electron/src/ipc/network/oauth2-helper.js
: ThegenerateCodeChallenge
function has been renamed togenerateUniqueHash
and simplified. It now directly creates a SHA-256 hash of the input string and returns it in base64url format. This function is used to generate a unique hash for thecodeVerifier
and thestate
parameter.OAuth2 Authorization Code Retrieval:
packages/bruno-electron/src/ipc/network/oauth2-helper.js
: ThegetOAuth2AuthorizationCode
function now generates a unique state parameter using the session ID of the collection and includes this in the OAuth2 query parameters. This change adds an extra layer of security to the OAuth2 process by mitigating cross-site request forgery attacks.Contribution Checklist:
Note: Keeping the PR small and focused helps make it easier to review and merge. If you have multiple changes you want to make, please consider submitting them as separate pull requests.
Publishing to New Package Managers
Please see here for more information.