From ba65cc50b7b468f0738398312a468ea413727bdc Mon Sep 17 00:00:00 2001
From: Matthias Benkard <matthias.benkard@egym.de>
Date: Tue, 14 Apr 2015 08:39:27 +0000
Subject: QT-1900 Add a CSRF token to the OIDC login flow.

This improves security by generating a CSRF token, passing it to the
OIDC IdP, and validating it afterwards.  The token is stored in
a cookie reverse-encrypted with MulkyID's private key.
---
 www/login.pl | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'www/login.pl')

diff --git a/www/login.pl b/www/login.pl
index fe1729d..5d27cbe 100755
--- a/www/login.pl
+++ b/www/login.pl
@@ -79,6 +79,14 @@ while (my $cgi = new CGI::Fast) {
     }
     when ('google') {
       my $code = $cgi->param('code') or die "Authorization code is missing.";
+
+      # Validate CSRF token.
+      my $oauth_state = $cgi->param('state');
+      my $csrf_token = read_cookie($cgi, 'mulkyid_csrf_token');
+      unless ($csrf_token && $oauth_state && $csrf_token eq $oauth_state) {
+        die "CSRF token was forged!";
+      }
+
       my $oidc_client = OIDC::Lite::Client::WebServer->new(
         id => $::MULKONF->{'google_oauth2_client_id'},
         secret => $::MULKONF->{'google_oauth2_client_secret'},
-- 
cgit v1.2.3