Add OAuth2 login #512
Add OAuth2 login #512
Conversation
JJ-8
left a comment
JJ-8
left a comment
There was a problem hiding this comment.
Your code looks good, except for the most critical part: the actual login. I have also no clue how to test this code so it is difficult for me to actually verify that it is working correctly.
| ON CONFLICT ("login") DO UPDATE | ||
| SET password = 'external', role = login_with_extern.role |
There was a problem hiding this comment.
If you login with an external identity provider, you will note be able to also do password login? Why can't it be both? So that you set a password after doing a password reset in CTFNote and then you choose to use OAuth login or through your password and you enter the same account.
For example, we can initially set the password to null to prevent any authentication through password and ON CONFLICT here we just do nothing.
There was a problem hiding this comment.
That is definitively an option (after dropping the NOT NULL constraint).
But in that case we would end up with the opposite situation: I have a local account and want to migrate it to external only. With that option, the best I can do is to choose a long, random password and immediately forget it. Since that is less impacting, I probably will change it that way in the upcoming days.
| STRICT | ||
| SECURITY DEFINER; | ||
|
|
||
| GRANT EXECUTE ON FUNCTION ctfnote_private.login_with_extern TO user_anonymous; |
There was a problem hiding this comment.
What would a random online user prevent to call this function to login as another user? Can I just call this function with the name of the administrator, or just give me a high privilege role? This function looks really vulnerable...
There was a problem hiding this comment.
Hmmm maybe because it is in the ctfnote_private space it is still correct and not publicly exposed. I mostly forgot how this system works... This pattern is used on other places in the code too, but still I am looking forward to get a clarification from you :)
There was a problem hiding this comment.
This is my first time working with graphql. As a result, I can't give a definitive answer. I created the graphql parts by immitating similar code in ctfnote.
But I think I mitigated the flaw in #509 by changing the function to ctfnote_private, suggesting that ctfnote_private is indeed not exposed externally.
There was a problem hiding this comment.
If I make the function public, the following payload returns a JWT:
[{"operationName":"loginWithExtern","variables":{"name":"test","role":"USER_ADMIN"},"query":"mutation loginWithExtern($name: String!, $role: Role!) {\n loginWithExtern(input: {name: $name, role: $role}) {\n jwt\n __typename\n }\n}"}]But that payload does not work if the function is private. But maybe my graphql is just to primitive to come up with a working version.
There was a problem hiding this comment.
After a bit more searching, I found that ctfnote_private.new_token ("user_id" int) (https://github.com/TFNS/CTFNote/blob/main/api/migrations/9-type-jwt.sql#L90-L102) was executable by anonymous, too. It was changed in bab8767 due to a refactoring, but I wasn't able to find whether it was for a security fix or just some functional improvement.
There was a problem hiding this comment.
I have to correct myself: That function still exists.
As a result, it is much more straight forward to directly request the JWT of an existing admin instead of creating a new user.
2 participants
This PR adds the possibility to sign in via an OAuth 2.0 compatible identity provider (#171).
The database function
login_with_externand the utils functiondetermineRoleByMappingare designed to hopefully be reusable by other external login providers added in the future.TODO: