fix: address security and code quality issues from code review

Copilot · nomeguy · Copilot · commit 6f7138f92dfc · 2026-01-09T15:05:33.000Z
Co-authored-by: nomeguy &lt;85475922+nomeguy@users.noreply.github.com&gt;
diff --git a/internal/handler/casdoor_handler.go b/internal/handler/casdoor_handler.go
@@ -40,26 +40,31 @@ type Replacement struct {
 func ForwardAuthHandler(c *gin.Context) {
 	clientcode, err := c.Cookie("client-code")
 	if err != nil {
-		fmt.Println("no client code found in cookie")
+		log.Println("no client code found in cookie")
 		ForwardAuthHandlerWithoutState(c)
 		return
 	}
 	clientstate, err := c.Cookie("client-state")
 	if err != nil {
-		fmt.Println("no state found in cookie")
+		log.Println("no state found in cookie")
 		ForwardAuthHandlerWithoutState(c)
 		return
 	}
 	if err := checkCode(clientcode, clientstate); err != nil {
-		fmt.Printf("invalid code and state %s\n", err.Error())
+		log.Printf("invalid code and state: %s\n", err.Error())
 		ForwardAuthHandlerWithoutState(c)
 		return
 	}
 	ForwardAuthHandlerWithState(c)
 }
 
 func ForwardAuthHandlerWithoutState(c *gin.Context) {
-	body, _ := io.ReadAll(c.Request.Body)
+	body, err := io.ReadAll(c.Request.Body)
+	if err != nil {
+		log.Printf("error reading request body: %s\n", err.Error())
+		c.JSON(http.StatusBadRequest, gin.H{"error": "failed to read request body"})
+		return
+	}
 	state := httpstate.NewState(c.Request.Method, c.Request.Header, body)
 	stateNonce, err := stateStorage.SetState(state)
 	if err != nil {
@@ -77,17 +82,24 @@ func ForwardAuthHandlerWithoutState(c *gin.Context) {
 }
 
 func ForwardAuthHandlerWithState(c *gin.Context) {
-	fmt.Println("client code checked")
+	log.Println("client code checked")
 
 	var replacement Replacement
 	replacement.ShouldReplaceBody = true
 	replacement.ShouldReplaceHeader = true
 
 	stateString, _ := c.Cookie("client-state")
-	stateNonce, _ := strconv.Atoi(stateString)
+	stateNonce, err := strconv.Atoi(stateString)
+	if err != nil {
+		log.Printf("invalid state nonce %s: %s\n", stateString, err.Error())
+		replacement.ShouldReplaceBody = false
+		replacement.ShouldReplaceHeader = false
+		c.JSON(200, replacement)
+		return
+	}
 	state, err := stateStorage.PopState(stateNonce)
 	if err != nil {
-		fmt.Printf("no related state found, state nonce %s\n", stateString)
+		log.Printf("no related state found, state nonce %s: %s\n", stateString, err.Error())
 		replacement.ShouldReplaceBody = false
 		replacement.ShouldReplaceHeader = false
 		c.JSON(200, replacement)
@@ -105,19 +117,26 @@ func CasdoorCallbackHandler(c *gin.Context) {
 	var splits = strings.Split(config.CurrentConfig.PluginEndpoint, "://")
 	if len(splits) < 2 {
 		c.JSON(500, gin.H{
-			"error": "invalid webhook address in configuration" + stateString,
+			"error": "invalid webhook address in configuration",
 		})
 		return
 	}
 	domain := splits[1]
 	c.SetCookie("client-code", code, 3600, "/", domain, false, true)
 	c.SetCookie("client-state", stateString, 3600, "/", domain, false, true)
-	stateNonce, _ := strconv.Atoi(stateString)
+	stateNonce, err := strconv.Atoi(stateString)
+	if err != nil {
+		log.Printf("invalid state parameter %s: %s\n", stateString, err.Error())
+		c.JSON(500, gin.H{
+			"error": "invalid state parameter",
+		})
+		return
+	}
 	state, err := stateStorage.GetState(stateNonce)
 	if err != nil {
-		fmt.Printf("no related state found, state nonce %s\n", stateString)
+		log.Printf("no related state found, state nonce %s: %s\n", stateString, err.Error())
 		c.JSON(500, gin.H{
-			"error": "no related state found, state nonce " + stateString,
+			"error": "no related state found",
 		})
 		return
 	}
@@ -126,7 +145,6 @@ func CasdoorCallbackHandler(c *gin.Context) {
 	uri := state.Header.Get("X-Forwarded-URI")
 	url := fmt.Sprintf("%s://%s%s", scheme, host, uri)
 	c.Redirect(307, url)
-
 }
 
 func checkCode(code, state string) error {
diff --git a/internal/httpstate/state_memory_storage.go b/internal/httpstate/state_memory_storage.go
@@ -15,8 +15,9 @@
 package httpstate
 
 import (
+	"crypto/rand"
+	"encoding/binary"
 	"fmt"
-	"math/rand"
 	"sync"
 )
 
@@ -35,7 +36,15 @@ func (s *StateMemoryStorage) SetState(state *State) (int, error) {
 	s.Lock()
 	defer s.Unlock()
 
-	nonce := rand.Int()
+	// Generate cryptographically secure random nonce
+	var b [8]byte
+	if _, err := rand.Read(b[:]); err != nil {
+		return 0, fmt.Errorf("failed to generate random nonce: %w", err)
+	}
+	nonce := int(binary.BigEndian.Uint64(b[:]))
+	if nonce < 0 {
+		nonce = -nonce
+	}
 	s.content[nonce] = state
 	return nonce, nil
 }
@@ -50,7 +59,6 @@ func (s *StateMemoryStorage) PopState(nonce int) (*State, error) {
 
 	delete(s.content, nonce)
 	return state, nil
-
 }
 func (s *StateMemoryStorage) GetState(nonce int) (*State, error) {
 	s.Lock()
@@ -61,5 +69,4 @@ func (s *StateMemoryStorage) GetState(nonce int) (*State, error) {
 	}
 
 	return state, nil
-
 }
