From 95e92e10a5a946f23432631fdff787b774d728b0 Mon Sep 17 00:00:00 2001 From: Nemi Shah Date: Thu, 7 Sep 2023 14:44:36 +0530 Subject: [PATCH 1/3] Add implementation for validateAccessToken for github --- .../recipe/thirdparty/providers/github.js | 27 +++++++++++++++++++ lib/ts/recipe/thirdparty/providers/github.ts | 25 +++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/lib/build/recipe/thirdparty/providers/github.js b/lib/build/recipe/thirdparty/providers/github.js index 67aa54a08..582318551 100644 --- a/lib/build/recipe/thirdparty/providers/github.js +++ b/lib/build/recipe/thirdparty/providers/github.js @@ -84,6 +84,33 @@ function Github(input) { if (input.config.tokenEndpoint === undefined) { input.config.tokenEndpoint = "https://github.com/login/oauth/access_token"; } + if (input.config.validateAccessToken === undefined) { + input.config.validateAccessToken = ({ accessToken, clientConfig }) => + __awaiter(this, void 0, void 0, function* () { + const basicAuthToken = Buffer.from( + `${clientConfig.clientId}:${ + clientConfig.clientSecret === undefined ? "" : clientConfig.clientSecret + }` + ).toString("base64"); + const applicationsResponse = yield cross_fetch_1.default( + `https://api.github.com/applications/${clientConfig.clientId}`, + { + headers: { + Authorization: `Basic ${basicAuthToken}`, + "Content-Type": "application/json", + }, + method: "POST", + body: JSON.stringify({ + access_token: accessToken, + }), + } + ); + if (applicationsResponse.status !== 200) { + throw new Error("Invalid access token"); + } + console.log("Response", yield applicationsResponse.json()); + }); + } const oOverride = input.override; input.override = function (originalImplementation) { const oGetConfig = originalImplementation.getConfigForClientType; diff --git a/lib/ts/recipe/thirdparty/providers/github.ts b/lib/ts/recipe/thirdparty/providers/github.ts index cc733154f..bee480c09 100644 --- a/lib/ts/recipe/thirdparty/providers/github.ts +++ b/lib/ts/recipe/thirdparty/providers/github.ts @@ -58,6 +58,31 @@ export default function Github(input: ProviderInput): TypeProvider { input.config.tokenEndpoint = "https://github.com/login/oauth/access_token"; } + if (input.config.validateAccessToken === undefined) { + input.config.validateAccessToken = async ({ accessToken, clientConfig }) => { + const basicAuthToken = Buffer.from( + `${clientConfig.clientId}:${clientConfig.clientSecret === undefined ? "" : clientConfig.clientSecret}` + ).toString("base64"); + + const applicationsResponse = await fetch(`https://api.github.com/applications/${clientConfig.clientId}`, { + headers: { + Authorization: `Basic ${basicAuthToken}`, + "Content-Type": "application/json", + }, + method: "POST", + body: JSON.stringify({ + access_token: accessToken, + }), + }); + + if (applicationsResponse.status !== 200) { + throw new Error("Invalid access token"); + } + + console.log("Response", await applicationsResponse.json()); + }; + } + const oOverride = input.override; input.override = function (originalImplementation) { From a682becb7af7b74a825c956fe2278ccd8f68429d Mon Sep 17 00:00:00 2001 From: Nemi Shah Date: Thu, 7 Sep 2023 14:50:50 +0530 Subject: [PATCH 2/3] Add implementation for validateAccessToken for github --- lib/build/recipe/thirdparty/providers/github.js | 7 +++++++ lib/ts/recipe/thirdparty/providers/github.ts | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/lib/build/recipe/thirdparty/providers/github.js b/lib/build/recipe/thirdparty/providers/github.js index 582318551..69f5260fd 100644 --- a/lib/build/recipe/thirdparty/providers/github.js +++ b/lib/build/recipe/thirdparty/providers/github.js @@ -125,6 +125,13 @@ function Github(input) { }; originalImplementation.getUserInfo = function (input) { return __awaiter(this, void 0, void 0, function* () { + if (originalImplementation.config.validateAccessToken !== undefined) { + yield originalImplementation.config.validateAccessToken({ + accessToken: input.oAuthTokens.access_token, + clientConfig: originalImplementation.config, + userContext: input.userContext, + }); + } const headers = { Authorization: `Bearer ${input.oAuthTokens.access_token}`, Accept: "application/vnd.github.v3+json", diff --git a/lib/ts/recipe/thirdparty/providers/github.ts b/lib/ts/recipe/thirdparty/providers/github.ts index bee480c09..000ba2a69 100644 --- a/lib/ts/recipe/thirdparty/providers/github.ts +++ b/lib/ts/recipe/thirdparty/providers/github.ts @@ -98,6 +98,14 @@ export default function Github(input: ProviderInput): TypeProvider { }; originalImplementation.getUserInfo = async function (input) { + if (originalImplementation.config.validateAccessToken !== undefined) { + await originalImplementation.config.validateAccessToken({ + accessToken: input.oAuthTokens.access_token, + clientConfig: originalImplementation.config, + userContext: input.userContext, + }); + } + const headers = { Authorization: `Bearer ${input.oAuthTokens.access_token}`, Accept: "application/vnd.github.v3+json", From cfbfb33b8ccd0004baf31b915f85115221876245 Mon Sep 17 00:00:00 2001 From: Nemi Shah Date: Thu, 7 Sep 2023 15:06:10 +0530 Subject: [PATCH 3/3] Add implementation for validateAccessToken for github --- .../recipe/thirdparty/providers/github.js | 7 +++-- lib/ts/recipe/thirdparty/providers/github.ts | 29 ++++++++++++------- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/lib/build/recipe/thirdparty/providers/github.js b/lib/build/recipe/thirdparty/providers/github.js index 69f5260fd..46908eb1e 100644 --- a/lib/build/recipe/thirdparty/providers/github.js +++ b/lib/build/recipe/thirdparty/providers/github.js @@ -93,7 +93,7 @@ function Github(input) { }` ).toString("base64"); const applicationsResponse = yield cross_fetch_1.default( - `https://api.github.com/applications/${clientConfig.clientId}`, + `https://api.github.com/applications/${clientConfig.clientId}/token`, { headers: { Authorization: `Basic ${basicAuthToken}`, @@ -108,7 +108,10 @@ function Github(input) { if (applicationsResponse.status !== 200) { throw new Error("Invalid access token"); } - console.log("Response", yield applicationsResponse.json()); + const body = yield applicationsResponse.json(); + if (body.app === undefined || body.app.client_id !== clientConfig.clientId) { + throw new Error("Access token does not belong to your application"); + } }); } const oOverride = input.override; diff --git a/lib/ts/recipe/thirdparty/providers/github.ts b/lib/ts/recipe/thirdparty/providers/github.ts index 000ba2a69..5ffb8fa1f 100644 --- a/lib/ts/recipe/thirdparty/providers/github.ts +++ b/lib/ts/recipe/thirdparty/providers/github.ts @@ -64,22 +64,29 @@ export default function Github(input: ProviderInput): TypeProvider { `${clientConfig.clientId}:${clientConfig.clientSecret === undefined ? "" : clientConfig.clientSecret}` ).toString("base64"); - const applicationsResponse = await fetch(`https://api.github.com/applications/${clientConfig.clientId}`, { - headers: { - Authorization: `Basic ${basicAuthToken}`, - "Content-Type": "application/json", - }, - method: "POST", - body: JSON.stringify({ - access_token: accessToken, - }), - }); + const applicationsResponse = await fetch( + `https://api.github.com/applications/${clientConfig.clientId}/token`, + { + headers: { + Authorization: `Basic ${basicAuthToken}`, + "Content-Type": "application/json", + }, + method: "POST", + body: JSON.stringify({ + access_token: accessToken, + }), + } + ); if (applicationsResponse.status !== 200) { throw new Error("Invalid access token"); } - console.log("Response", await applicationsResponse.json()); + const body = await applicationsResponse.json(); + + if (body.app === undefined || body.app.client_id !== clientConfig.clientId) { + throw new Error("Access token does not belong to your application"); + } }; }