reddit auth state token is insecure

Nub-International-Group / ModelWorld-Bank

Monorepo for ModelWorldBank. Vue + VueX + Bootstrap frontend, Node + Mongo + Express backend.

6 stars 3 forks source link

reddit auth state token is insecure #198

Open sam-irl opened 4 years ago

sam-irl commented 4 years ago

When authenticating using reddit, the state token that's passed is simply set to test, and not used again.

https://github.com/Nub-International-Group/ModelWorld-Bank/blob/87eaae7e0a0c81a4e0e131fc2a8b56db863b004e/packages/server/index.js#L114

The state token should be set to a secure random value and checked in the callback (or just removed entirely I guess)

strideynet commented 4 years ago

I'm actually part way through bringing the authentication out into it's own package and getting rid of the trash reddit passport plugin that I'm currently using, however it's mostly low priority.

I feel the risk of a CSRF attack on the platform is minimal.