address review comments

Signed-off-by: Bob Callaway <bcallaway@google.com>
This commit is contained in:
Bob Callaway 2022-09-26 15:16:18 -04:00
parent cf3b19a952
commit 793bcc4b61
No known key found for this signature in database
2 changed files with 5 additions and 2 deletions

View File

@ -502,6 +502,8 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
// TODO: if s.skipApproval or !authReq.ForceApprovalPrompt, we can skip the redirect to /approval and go ahead and send code
// an HMAC is used here to ensure that the request ID is unpredictable, ensuring that an attacker who intercepted the original
// flow would be unable to poll for the result at the /approval endpoint
h := hmac.New(sha256.New, authReq.HMACKey)
h.Write([]byte(authReq.ID))
mac := h.Sum(nil)
@ -576,7 +578,7 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
// build expected hmac with secret key
h := hmac.New(sha256.New, authReq.HMACKey)
h.Write([]byte(r.FormValue("req")))
h.Write([]byte(authReq.ID))
expectedMAC := h.Sum(nil)
// constant time comparison
if !hmac.Equal(mac, expectedMAC) {

View File

@ -144,7 +144,8 @@ func (c *conn) CreateAuthRequest(a storage.AuthRequest) error {
a.Claims.Email, a.Claims.EmailVerified, encoder(a.Claims.Groups),
a.ConnectorID, a.ConnectorData,
a.Expiry,
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod, a.HMACKey,
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod,
a.HMACKey,
)
if err != nil {
if c.alreadyExistsCheck(err) {