[server] Enforce state presence and validation on the /api/authorize endoint #20969
+386
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
geropl
force-pushed
the
gpl/1592-oauth-fix
branch
from
015c739 to
c0a7be3
Compare
geropl
force-pushed
the
gpl/1592-oauth-fix
branch
from
01163a9 to
89dc9c8
Compare
- Add comprehensive feature branch naming convention to systemPatterns.md - Include initials extraction rules and 24-character limit - Add workflow steps with git config user.name requirement - Add reference to branch naming guidelines in CLAUDE.md - Ensure all future AI sessions follow consistent branch naming Co-authored-by: Ona <[email protected]>
- Add URL validation in authenticator to reject returnTo URLs pointing to /api paths or api. subdomains - Move isApiPath method into validateAuthorizeReturnToUrl for better encapsulation - Maintain existing prefix-based domain validation in getReturnToParamWithSafeBaseDomain - Add comprehensive tests for validation functions - Covers edge cases: case insensitivity, malformed URLs, query params Co-authored-by: Ona <[email protected]>
- Add feature flag check in authenticator.authorize() method - Add validation in GenericAuthProvider.callback() for authFlow.returnTo - Only validate when getFeatureFlagEnforceAuthorizeStateValidation is true - Handle cases where user may not be available (new user flow) - Maintain backward compatibility with feature flag disabled by default Co-authored-by: Ona <[email protected]>
geropl
force-pushed
the
gpl/1592-oauth-fix
branch
from
89dc9c8 to
7547ba0
Compare
|
@AlexTugarev Can you reserve some time tomorrow to review this? 🙏 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Feature flag:
enforce_authorize_state_validationRelated Issue(s)
Fixes CLC-1592
How to test
Documentation
Preview status
gitpod:summary
Build Options
Build
Run the build with werft instead of GHA
Run Leeway with
--dont-testPublish
Installer
Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh. If enabled,with-previewandwith-large-vmwill be enabled./hold