github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent OIDC redirect URI construction from untrusted X-Forwarded-Host

Browse Source 
The OIDC login route silently fell back to building the redirect URI from
X-Forwarded-Host/X-Forwarded-Proto when APP_URL was not configured. An
attacker could set X-Forwarded-Host: attacker.example.com to redirect the
authorization code to their own server after the user authenticates.

Remove the header-derived fallback entirely. If APP_URL is not set (via env
or the app_url DB setting), the OIDC login endpoint now returns a 500 error
rather than trusting attacker-controlled request headers. Document APP_URL
in .env.example as required for OIDC use.
This commit is contained in:
jubnl
2026-04-01 04:36:27 +02:00
parent 1b28bd96d4
commit 0ee53e7b38
2 changed files with 5 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/.env.example
View File

@@ -8,6 +8,8 @@ ALLOWED_ORIGINS=https://trek.example.com # Comma-separated origins for CORS and
FORCE_HTTPS=false # Redirect HTTP → HTTPS behind a TLS proxy
TRUST_PROXY=1 # Number of trusted proxies for X-Forwarded-For
APP_URL=https://trek.example.com # Base URL of this instance — required when OIDC is enabled; must match the redirect URI registered with your IdP
OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL
OIDC_CLIENT_ID=trek # OpenID Connect client ID
OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret

10
server/src/routes/oidc.ts
View File

@@ -123,14 +123,10 @@ router.get('/login', async (req: Request, res: Response) => {
const doc = await discover(config.issuer);
const state = crypto.randomBytes(32).toString('hex');
const appUrl = process.env.APP_URL || (db.prepare("SELECT value FROM app_settings WHERE key = 'app_url'").get() as { value: string } | undefined)?.value;
let redirectUri: string;
if (appUrl) {
redirectUri = `${appUrl.replace(/\/+$/, '')}/api/auth/oidc/callback`;
} else {
const proto = (req.headers['x-forwarded-proto'] as string) || req.protocol;
const host = (req.headers['x-forwarded-host'] as string) || req.headers.host;
redirectUri = `${proto}://${host}/api/auth/oidc/callback`;
if (!appUrl) {
return res.status(500).json({ error: 'APP_URL is not configured. OIDC cannot be used.' });
}
const redirectUri = `${appUrl.replace(/\/+$/, '')}/api/auth/oidc/callback`;
const inviteToken = req.query.invite as string | undefined;
pendingStates.set(state, { createdAt: Date.now(), redirectUri, inviteToken });