Home Explore Help
Register Sign In
oleg
/
pixelfed
mirror of https://github.com/pixelfed/pixelfed.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fixes for items highlighted by review.ai

* Consider using `hash_equals()` instead of `==` when comparing the state values to prevent timing attacks:
`abort_unless(hash_equals($request->input('state'), $request->session()->pull('oauth2state')), 400, 'invalid
state');`
* For better data integrity, consider adding a foreign key constraint to the user_id column: `$table-
>foreign('user_id')->references('id')->on('users')->onDelete('cascade');`
* Does the OIDC provider guarantee that the username field exists in the userInfo data? Consider adding a
null check or fallback: `$userInfoData[config('remote-auth.oidc.field_username')] ?? null`
Gavin Mogan 5 months ago
parent
441c8e0d4c
commit
70584b47c5
2 changed files with 5 additions and 4 deletions
Unified View Show Diff Stats
  1. 2 2
      app/Http/Controllers/RemoteOidcController.php
  2. 3 2
      database/migrations/2025_01_30_061434_create_user_oidc_mapping_table.php

+ 2 - 2
app/Http/Controllers/RemoteOidcController.php
View File 

@@ -46,7 +46,7 @@ class RemoteOidcController extends Controller
 
         abort_unless($request->input("state"), 400);
 
         abort_unless($request->input("state"), 400);
 
         abort_unless($request->input("code"), 400);
 
         abort_unless($request->input("code"), 400);
 
 
 
-        abort_unless($request->input("state") == $request->session()->pull('oauth2state'), 400, "invalid state");
 
+        abort_unless(hash_equals($request->session()->pull('oauth2state'), $request->input("state")), 400, "invalid state");
 
 
 
         $accessToken = $provider->getAccessToken('authorization_code', [
 
         $accessToken = $provider->getAccessToken('authorization_code', [
 
             'code' => $request->get('code')
 
             'code' => $request->get('code')
 
@@ -66,7 +66,7 @@ class RemoteOidcController extends Controller
 
 
 
         $user = $this->createUser([
 
         $user = $this->createUser([
 
             'username' => $userInfoData[config('remote-auth.oidc.field_username')],
 
             'username' => $userInfoData[config('remote-auth.oidc.field_username')],
 
-            'name' => $userInfoData["name"] ?? $userInfoData["display_name"] ?? $userInfoData[config('remote-auth.oidc.field_username')],
 
+            'name' => $userInfoData["name"] ?? $userInfoData["display_name"] ?? $userInfoData[config('remote-auth.oidc.field_username')] ?? null,
 
             'email' => $userInfoData["email"],
 
             'email' => $userInfoData["email"],
 
         ]);
 
         ]);

+ 3 - 2
database/migrations/2025_01_30_061434_create_user_oidc_mapping_table.php
View File 

@@ -12,9 +12,10 @@ return new class extends Migration
 
     public function up(): void
 
     public function up(): void
 
     {
 
     {
 
         Schema::create('user_oidc_mappings', function (Blueprint $table) {
 
         Schema::create('user_oidc_mappings', function (Blueprint $table) {
 
-            $table->id();
 
-            $table->unsignedInteger('user_id')->index();
 
+            $table->bigIncrements('id');
 
+            $table->bigInteger('user_id')->unsigned()->index();
 
             $table->string('oidc_id')->unique()->index();
 
             $table->string('oidc_id')->unique()->index();
 
+            $table->foreign('user_id')->references('id')->on('users')->onDelete('cascade');
 
             $table->timestamps();
 
             $table->timestamps();
 
         });
 
         });
 
     }
 
     }