feat: Update serverless function NUS auth user endpoint with invalid relay state handling (#3644)

* Add user endpoint for NUS auth serverless fns

* Allow callback URLs from authorised domains

* Fix tests

---------

Co-authored-by: Jonathan Loh <[email protected]>
Co-authored-by: Jonathan Loh <[email protected]>

Author: chrisgzf

website/api/nus/auth/login.ts

@@ -1,4 +1,4 @@
-import { authenticate } from '../../../src/serverless/nus-auth';
+import { authenticate, isCallbackUrlValid } from '../../../src/serverless/nus-auth';
 import {
   createRouteHandler,
   defaultFallback,
@@ -8,6 +8,7 @@ import {
 
 const errors = {
   noRelayState: 'ERR_NO_RELAY_STATE',
+  invalidRelayState: 'ERR_INVALID_RELAY_STATE',
 };
 
 const handlePost: Handler = async (req, res) => {
@@ -17,6 +18,9 @@ const handlePost: Handler = async (req, res) => {
       throw new Error(errors.noRelayState);
     }
 
+    if (!isCallbackUrlValid(relayState)) {
+      throw new Error(errors.invalidRelayState);
+    }
     const userURL = new URL(relayState);
     userURL.searchParams.append('token', token);
 
@@ -26,6 +30,10 @@ const handlePost: Handler = async (req, res) => {
       res.json({
         message: 'Relay state not found in request',
       });
+    } else if (err.message === errors.invalidRelayState) {
+      res.json({
+        message: 'Invalid relay state given. URL must be from a valid domain.',
+      });
     } else {
       throw err;
     }

website/api/nus/auth/sso.ts

@@ -1,4 +1,4 @@
-import { createLoginURL } from '../../../src/serverless/nus-auth';
+import { createLoginURL, isCallbackUrlValid } from '../../../src/serverless/nus-auth';
 import {
   createRouteHandler,
   defaultFallback,
@@ -9,6 +9,7 @@ import {
 
 const errors = {
   noCallbackUrl: 'ERR_NO_REFERER',
+  invalidCallbackUrl: 'ERR_INVALID_REFERER',
 };
 
 function getCallbackUrl(callback: string | string[] | undefined) {
@@ -24,12 +25,20 @@ const handleGet: Handler = async (req, res) => {
       throw new Error(errors.noCallbackUrl);
     }
 
+    if (!isCallbackUrlValid(callback)) {
+      throw new Error(errors.invalidCallbackUrl);
+    }
+
     res.send(createLoginURL(callback));
   } catch (err) {
     if (err.message === errors.noCallbackUrl) {
       res.json({
         message: 'Request needs a referer',
       });
+    } else if (err.message === errors.invalidCallbackUrl) {
+      res.json({
+        message: 'Invalid referer given. URL must be from a valid domain.',
+      });
     } else {
       throw err;
     }

website/api/nus/auth/user.ts

@@ -0,0 +1,19 @@
+import { authenticate } from '../../../src/serverless/nus-auth';
+import {
+  createRouteHandler,
+  defaultFallback,
+  defaultRescue,
+  Handler,
+  MethodHandlers,
+} from '../../../src/serverless/handler';
+
+const handleGet: Handler = async (req, res) => {
+  const { user } = await authenticate(req);
+  res.json(user);
+};
+
+const methodHandlers: MethodHandlers = {
+  GET: handleGet,
+};
+
+export default createRouteHandler(methodHandlers, defaultFallback, defaultRescue(true));

website/src/serverless/nus-auth.ts

@@ -15,6 +15,9 @@ const errors = {
   noTokenSupplied: 'ERR_NO_TOKEN_SUPPLIED',
 };
 
+// Domains allowed as callback URLs
+const allowedDomains = ['nusmods.com', 'nuscourses.com', 'modsn.us', 'localhost'];
+
 export type User = {
   accountName: string;
   upn: string;
@@ -45,6 +48,28 @@ export const createLoginURL = (relayState = '') => {
   return ssoLoginURL.toString();
 };
 
+export const isCallbackUrlValid = (callbackUrl: string): boolean => {
+  try {
+    const url = new URL(callbackUrl);
+
+    const validMatch = allowedDomains.some(
+      (allowedDomain) =>
+        url.hostname.endsWith(`.${allowedDomain}`) || url.hostname === allowedDomain,
+    );
+
+    if (!validMatch) {
+      // eslint-disable-next-line no-console
+      console.error('Invalid callback URL given by user:', callbackUrl);
+    }
+
+    return validMatch;
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.error('Invalid callback URL:', error);
+    return false;
+  }
+};
+
 export const authenticate = async (req: Request) => {
   const tokenProvided = req.headers.authorization || (req.body && req.body.SAMLResponse);
   if (!tokenProvided) {

website/src/views/modules/ModuleArchiveContainer.test.tsx

@@ -1,4 +1,4 @@
-import { screen, waitFor } from '@testing-library/react';
+import { act, screen, waitFor } from '@testing-library/react';
 import { Provider } from 'react-redux';
 import axios, { AxiosError, AxiosHeaders, AxiosResponse } from 'axios';
 
@@ -82,6 +82,7 @@ describe(ModuleArchiveContainerComponent, () => {
   test('should show 404 page when the course code does not exist', async () => {
     mockAxiosRequest.mockRejectedValue(notFoundError);
     make('/archive/CS1234/2017-2018');
+    await act(() => Promise.resolve()); // Wait for the react to finish updates
     expect(
       await screen.findByText(/course CS1234 not found/, { exact: false }),
     ).toBeInTheDocument();

website/src/views/modules/ModulePageContainer.test.tsx

@@ -1,4 +1,4 @@
-import { screen, waitFor } from '@testing-library/react';
+import { act, screen, waitFor } from '@testing-library/react';
 import { Provider } from 'react-redux';
 import axios, { AxiosError, AxiosHeaders, AxiosResponse } from 'axios';
 
@@ -82,6 +82,7 @@ describe(ModulePageContainerComponent, () => {
   test('should show 404 page when the module code does not exist', async () => {
     mockAxiosRequest.mockRejectedValue(notFoundError);
     make('/courses/CS1234');
+    await act(() => Promise.resolve()); // Wait for the react to finish updates
     expect(await screen.findByText(/course CS1234 not found/)).toBeInTheDocument();
   });