refactor(core): Use consistent CSRF state validation across oAuth controllers (#9104)

Co-authored-by: Danny Martini <danny@n8n.io>
2025-12-18 18:41:14 +00:00 · 2024-05-23 19:08:01 +02:00
parent 3b93aae6dc
commit b585777c79
6 changed files with 183 additions and 90 deletions
--- a/packages/cli/src/controllers/oauth/oAuth1Credential.controller.ts
+++ b/packages/cli/src/controllers/oauth/oAuth1Credential.controller.ts
@@ -4,13 +4,11 @@ import axios from 'axios';
 import type { RequestOptions } from 'oauth-1.0a';
 import clientOAuth1 from 'oauth-1.0a';
 import { createHmac } from 'crypto';
-import { RESPONSE_ERROR_MESSAGES } from '@/constants';
 import { Get, RestController } from '@/decorators';
 import { OAuthRequest } from '@/requests';
 import { sendErrorResponse } from '@/ResponseHelper';
-import { AbstractOAuthController } from './abstractOAuth.controller';
+import { AbstractOAuthController, type CsrfStateParam } from './abstractOAuth.controller';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
-import { ServiceUnavailableError } from '@/errors/response-errors/service-unavailable.error';

 interface OAuth1CredentialData {
 	signatureMethod: 'HMAC-SHA256' | 'HMAC-SHA512' | 'HMAC-SHA1';
@@ -44,6 +42,7 @@ export class OAuth1CredentialController extends AbstractOAuthController {
 			decryptedDataOriginal,
 			additionalData,
 		);
+		const [csrfSecret, state] = this.createCsrfState(credential.id);

 		const signatureMethod = oauthCredentials.signatureMethod;

@@ -61,7 +60,7 @@ export class OAuth1CredentialController extends AbstractOAuthController {
 		};

 		const oauthRequestData = {
-			oauth_callback: `${this.baseUrl}/callback?cid=${credential.id}`,
+			oauth_callback: `${this.baseUrl}/callback?state=${state}`,
 		};

 		await this.externalHooks.run('oauth1.authenticate', [oAuthOptions, oauthRequestData]);
@@ -90,6 +89,7 @@ export class OAuth1CredentialController extends AbstractOAuthController {

 		const returnUri = `${oauthCredentials.authUrl}?oauth_token=${responseJson.oauth_token}`;

+		decryptedDataOriginal.csrfSecret = csrfSecret;
 		await this.encryptAndSaveData(credential, decryptedDataOriginal);

 		this.logger.verbose('OAuth1 authorization successful for new credential', {
@@ -103,31 +103,31 @@ export class OAuth1CredentialController extends AbstractOAuthController {
 	/** Verify and store app code. Generate access tokens and store for respective credential */
 	@Get('/callback', { usesTemplates: true })
 	async handleCallback(req: OAuthRequest.OAuth1Credential.Callback, res: Response) {
+		const userId = req.user?.id;
 		try {
-			const { oauth_verifier, oauth_token, cid: credentialId } = req.query;
+			const { oauth_verifier, oauth_token, state: encodedState } = req.query;

-			if (!oauth_verifier || !oauth_token) {
-				const errorResponse = new ServiceUnavailableError(
-					`Insufficient parameters for OAuth1 callback. Received following query parameters: ${JSON.stringify(
-						req.query,
-					)}`,
+			if (!oauth_verifier || !oauth_token || !encodedState) {
+				return this.renderCallbackError(
+					res,
+					'Insufficient parameters for OAuth1 callback.',
+					`Received following query parameters: ${JSON.stringify(req.query)}`,
 				);
-				this.logger.error('OAuth1 callback failed because of insufficient parameters received', {
-					userId: req.user?.id,
-					credentialId,
-				});
-				return sendErrorResponse(res, errorResponse);
 			}

-			const credential = await this.getCredentialWithoutUser(credentialId);
+			let state: CsrfStateParam;
+			try {
+				state = this.decodeCsrfState(encodedState);
+			} catch (error) {
+				return this.renderCallbackError(res, (error as Error).message);
+			}

+			const credentialId = state.cid;
+			const credential = await this.getCredentialWithoutUser(credentialId);
 			if (!credential) {
-				this.logger.error('OAuth1 callback failed because of insufficient user permissions', {
-					userId: req.user?.id,
-					credentialId,
-				});
-				const errorResponse = new NotFoundError(RESPONSE_ERROR_MESSAGES.NO_CREDENTIAL);
-				return sendErrorResponse(res, errorResponse);
+				const errorMessage = 'OAuth1 callback failed because of insufficient permissions';
+				this.logger.error(errorMessage, { userId, credentialId });
+				return this.renderCallbackError(res, errorMessage);
 			}

 			const additionalData = await this.getAdditionalData(req.user);
@@ -138,6 +138,12 @@ export class OAuth1CredentialController extends AbstractOAuthController {
 				additionalData,
 			);

+			if (this.verifyCsrfState(decryptedDataOriginal, state)) {
+				const errorMessage = 'The OAuth1 callback state is invalid!';
+				this.logger.debug(errorMessage, { userId, credentialId });
+				return this.renderCallbackError(res, errorMessage);
+			}
+
 			const options: AxiosRequestConfig = {
 				method: 'POST',
 				url: oauthCredentials.accessTokenUrl,
@@ -152,10 +158,7 @@ export class OAuth1CredentialController extends AbstractOAuthController {
 			try {
 				oauthToken = await axios.request(options);
 			} catch (error) {
-				this.logger.error('Unable to fetch tokens for OAuth1 callback', {
-					userId: req.user?.id,
-					credentialId,
-				});
+				this.logger.error('Unable to fetch tokens for OAuth1 callback', { userId, credentialId });
 				const errorResponse = new NotFoundError('Unable to get access tokens!');
 				return sendErrorResponse(res, errorResponse);
 			}
@@ -171,14 +174,13 @@ export class OAuth1CredentialController extends AbstractOAuthController {
 			await this.encryptAndSaveData(credential, decryptedDataOriginal);

 			this.logger.verbose('OAuth1 callback successful for new credential', {
-				userId: req.user?.id,
+				userId,
 				credentialId,
 			});
 			return res.render('oauth-callback');
 		} catch (error) {
 			this.logger.error('OAuth1 callback failed because of insufficient user permissions', {
-				userId: req.user?.id,
-				credentialId: req.query.cid,
+				userId,
 			});
 			// Error response
 			return sendErrorResponse(res, error as Error);