refactor: pull csrf into a shared module

Author: panva

lib/actions/code_verification.js

@@ -1,11 +1,10 @@
-import * as crypto from 'node:crypto';
-
 import sessionMiddleware from '../shared/session.js';
 import paramsMiddleware from '../shared/assemble_params.js';
 import bodyParser from '../shared/conditional_body.js';
 import rejectDupes from '../shared/reject_dupes.js';
 import instance from '../helpers/weak_cache.js';
-import { InvalidClient, InvalidRequest } from '../helpers/errors.js';
+import { InvalidClient } from '../helpers/errors.js';
+import { generateXsrf, checkXsrf } from '../shared/xsrf.js';
 import * as formHtml from '../helpers/user_code_form.js';
 import formPost from '../response_modes/form_post.js';
 import { normalize, denormalize } from '../helpers/user_codes.js';
@@ -18,13 +17,11 @@ const parseBody = bodyParser.bind(undefined, 'application/x-www-form-urlencoded'
 export const get = [
   sessionMiddleware,
   paramsMiddleware.bind(undefined, new Set(['user_code'])),
+  generateXsrf,
   async function renderCodeVerification(ctx) {
     const { charset, userCodeInputSource } = instance(ctx.oidc.provider).features.deviceFlow;
 
-    // TODO: generic xsrf middleware to remove this
-    const secret = crypto.randomBytes(24).toString('hex');
-    ctx.oidc.session.state = { secret };
-
+    const { secret } = ctx.oidc.session.state;
     const action = ctx.oidc.urlFor('code_verification');
     if (ctx.oidc.params.user_code) {
       formPost(ctx, action, {
@@ -43,15 +40,7 @@ export const post = [
   paramsMiddleware.bind(undefined, new Set(['xsrf', 'user_code', 'confirm', 'abort'])),
   rejectDupes.bind(undefined, {}),
 
-  async function codeVerificationCSRF(ctx, next) {
-    if (!ctx.oidc.session.state) {
-      throw new InvalidRequest('could not find device form details');
-    }
-    if (ctx.oidc.session.state.secret !== ctx.oidc.params.xsrf) {
-      throw new InvalidRequest('xsrf token invalid');
-    }
-    await next();
-  },
+  checkXsrf('could not find device form details'),
 
   async function loadDeviceCodeByUserInput(ctx, next) {
     const { userCodeConfirmSource, mask } = instance(ctx.oidc.provider).features.deviceFlow;

lib/actions/end_session.js

@@ -1,5 +1,3 @@
-import * as crypto from 'node:crypto';
-
 import { InvalidClient, InvalidRequest, OIDCProviderError } from '../helpers/errors.js';
 import * as JWT from '../helpers/jwt.js';
 import redirectUri from '../helpers/redirect_uri.js';
@@ -11,6 +9,7 @@ import sessionMiddleware from '../shared/session.js';
 import revoke from '../helpers/revoke.js';
 import noCache from '../shared/no_cache.js';
 import formPost from '../response_modes/form_post.js';
+import { generateXsrf, checkXsrf } from '../shared/xsrf.js';
 
 const parseBody = bodyParser.bind(undefined, 'application/x-www-form-urlencoded');
 
@@ -70,16 +69,14 @@ export const init = [
     await next();
   },
 
+  generateXsrf,
+
   async function renderLogout(ctx) {
-    // TODO: generic xsrf middleware to remove this
-    const secret = crypto.randomBytes(24).toString('hex');
+    const { secret } = ctx.oidc.session.state;
 
-    ctx.oidc.session.state = {
-      secret,
-      clientId: ctx.oidc.client ? ctx.oidc.client.clientId : undefined,
-      state: ctx.oidc.params.state,
-      postLogoutRedirectUri: ctx.oidc.params.post_logout_redirect_uri,
-    };
+    ctx.oidc.session.state.clientId = ctx.oidc.client ? ctx.oidc.client.clientId : undefined;
+    ctx.oidc.session.state.state = ctx.oidc.params.state;
+    ctx.oidc.session.state.postLogoutRedirectUri = ctx.oidc.params.post_logout_redirect_uri;
 
     const action = ctx.oidc.urlFor('end_session_confirm');
 
@@ -105,15 +102,7 @@ export const confirm = [
   paramsMiddleware.bind(undefined, new Set(['xsrf', 'logout'])),
   rejectDupes.bind(undefined, {}),
 
-  async function checkLogoutToken(ctx, next) {
-    if (!ctx.oidc.session.state) {
-      throw new InvalidRequest('could not find logout details');
-    }
-    if (ctx.oidc.session.state.secret !== ctx.oidc.params.xsrf) {
-      throw new InvalidRequest('xsrf token invalid');
-    }
-    await next();
-  },
+  checkXsrf('could not find logout details'),
 
   async function endSession(ctx) {
     const { oidc: { session, params } } = ctx;

lib/shared/error_handler.js

@@ -1,12 +1,12 @@
-import * as crypto from 'node:crypto';
-
 import debug from 'debug';
 
 import instance from '../helpers/weak_cache.js';
 import * as formHtml from '../helpers/user_code_form.js';
 import { ReRenderError } from '../helpers/re_render_errors.js';
 import errOut from '../helpers/err_out.js';
 
+import { generateXsrf } from './xsrf.js';
+
 const debugError = debug('oidc-provider:error');
 const serverError = debug('oidc-provider:server_error');
 const serverErrorTrace = debug('oidc-provider:server_error:trace');
@@ -33,8 +33,8 @@ export default function getErrorHandler(provider, eventName) {
       }
 
       if (ctx.oidc?.session && userInputRoutes.has(ctx.oidc.route)) {
-        const secret = crypto.randomBytes(24).toString('hex');
-        ctx.oidc.session.state = { secret };
+        generateXsrf(ctx, () => {});
+        const { secret } = ctx.oidc.session.state;
 
         await userCodeInputSource(ctx, formHtml.input(ctx.oidc.urlFor('code_verification'), secret, err.userCode, charset), out, err);
         if (err instanceof ReRenderError) { // render without emit

lib/shared/xsrf.js

@@ -0,0 +1,22 @@
+import * as crypto from 'node:crypto';
+
+import { InvalidRequest } from '../helpers/errors.js';
+import constantEquals from '../helpers/constant_equals.js';
+
+export function generateXsrf(ctx, next) {
+  const secret = crypto.randomBytes(24).toString('hex');
+  ctx.oidc.session.state = { secret };
+  return next();
+}
+
+export function checkXsrf(missingMessage) {
+  return async function verifyXsrf(ctx, next) {
+    if (!ctx.oidc.session.state) {
+      throw new InvalidRequest(missingMessage);
+    }
+    if (!constantEquals(ctx.oidc.session.state.secret, ctx.oidc.params.xsrf || '')) {
+      throw new InvalidRequest('xsrf token invalid');
+    }
+    await next();
+  };
+}