sec(oauth): phase-2 attack-path review (forgejo-mcp-broker-wgo)
Structured review of every OAuth/auth handler against the standard
attack catalog. Findings table added to design.md §8.2.
Two real issues found and fixed:
- Refresh-token replay race: tokenRefreshGrant read the row, validated
it, then minted a new pair before unconditionally revoking the old
refresh. Two concurrent /token requests with the same refresh would
both pass validation and both mint a fresh pair — token-quota
duplication and a hint to a stolen-refresh attacker. Fixed with the
same atomic UPDATE rows-affected pattern already used for auth-code
single-use. New TestToken_Refresh_ConcurrentReplay_OnlyOneSucceeds
races two goroutines and verifies exactly one wins.
- Permissive redirect_uri schemes: validateRedirectURI accepted any
non-empty scheme, including javascript: and data:. Tightened to
require https, http for loopback only, or a reverse-DNS private-use
scheme per RFC 8252 §7.1. TestValidateRedirectURI updated to cover
each variant including the rejected javascript:/data: cases.
Items deferred to backlog (already filed):
- Rate limits on /oauth/register and /oauth/token (-ttl)
- --token-fd to close the /proc/<pid>/environ window (-1n2)
- AES-GCM at-rest encryption of Forgejo tokens (-sd4)
Closes forgejo-mcp-broker-wgo. Phase 2 complete.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
933e7bd369
commit
8369ec2cc7
5 changed files with 140 additions and 21 deletions
|
|
@ -11,6 +11,7 @@ import (
|
|||
"net/url"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"testing"
|
||||
"time"
|
||||
|
|
@ -861,6 +862,59 @@ func TestToken_Refresh_WrongClientID(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestToken_Refresh_ConcurrentReplay_OnlyOneSucceeds(t *testing.T) {
|
||||
// Two goroutines race the same refresh token. Without an atomic
|
||||
// single-shot UPDATE, both would mint a new pair. With it, exactly
|
||||
// one succeeds.
|
||||
fx := newFixture(t)
|
||||
cid := fx.registerClient("https://app.example.com/cb")
|
||||
tok := runFullFlow(t, fx, "https://app.example.com/cb", cid, "verifier-rfrace")
|
||||
|
||||
form := url.Values{
|
||||
"grant_type": {"refresh_token"},
|
||||
"refresh_token": {tok.RefreshToken},
|
||||
"client_id": {cid},
|
||||
}
|
||||
|
||||
type result struct {
|
||||
status int
|
||||
body string
|
||||
}
|
||||
results := make(chan result, 2)
|
||||
var wg sync.WaitGroup
|
||||
for i := 0; i < 2; i++ {
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
resp, err := http.PostForm(fx.httpServer.URL+"/oauth/token", form)
|
||||
if err != nil {
|
||||
results <- result{status: 0, body: err.Error()}
|
||||
return
|
||||
}
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
_ = resp.Body.Close()
|
||||
results <- result{status: resp.StatusCode, body: string(body)}
|
||||
}()
|
||||
}
|
||||
wg.Wait()
|
||||
close(results)
|
||||
|
||||
var ok, failed int
|
||||
for r := range results {
|
||||
switch r.status {
|
||||
case http.StatusOK:
|
||||
ok++
|
||||
case http.StatusBadRequest:
|
||||
failed++
|
||||
default:
|
||||
t.Errorf("unexpected status %d: %s", r.status, r.body)
|
||||
}
|
||||
}
|
||||
if ok != 1 || failed != 1 {
|
||||
t.Errorf("concurrent refresh outcome = (ok=%d, failed=%d), want (1, 1)", ok, failed)
|
||||
}
|
||||
}
|
||||
|
||||
func TestToken_Refresh_RevokedToken(t *testing.T) {
|
||||
fx := newFixture(t)
|
||||
cid := fx.registerClient("https://app.example.com/cb")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue