search

n4bb12 / verdaccio-github-oauth-ui

📦🔐 GitHub OAuth plugin for Verdaccio
https://verdaccio.org
MIT License
71 stars 45 forks source link

Bug allowing anyone to log in as any valid GitHub user #160

Closed Doridian closed 2 years ago

Doridian commented 2 years ago

Bug Report

Versions

Version
Verdaccio 5.13
This plugin 5.0
Node Whatever Verdaccio 5.13 Docker image ships

Have htpasswd and this plugin enabled

Observed behavior

Verdaccio lets you login with a GitHub user with any password npm adduser --registry https://xxxxxx Enter GitHub username of a user previously used with this plugin, enter ANY password. You will get issued a token.

Logs show:

[github-oauth-ui] User successfuly authenticated: {
  name: 'USERNAME',
  groups: [ '$all', '@all', '$authenticated', '@authenticated' ],
  real_groups: [ whatever the actual GH user has, like orgs etc ]
}

Expected behavior

Login failure

Steps to reproduce

n4bb12 commented 2 years ago

Please read the breaking changes before upgrading to a new major version https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/5.0.0

Doridian commented 2 years ago

I did not upgrade. I started on this version. I did not use any previous version of this plugin and followed the instructions in the docs folder.

Doridian commented 2 years ago

Also, even if I did upgrade, the breaking changes only mention permission issues. This is NOT a permissions issue at all. Under no circumstances should this plugin allow you to log in as someone else, who's credentials you do not have, which it does.

Doridian commented 2 years ago

@n4bb12 Please, if you think I did something wrong, tell me. But don't just close the issue assuming I upgraded from a previous version.

Here's my whole config, which seems correct from your docs folder:

# path to a directory with all packages
storage: /verdaccio/storage
# path to a directory with plugins to include
plugins: /verdaccio/plugins

web:
  # WebUI is enabled as default, if you want disable it, just uncomment this line
  #enable: false
  title: Verdaccio

auth:
  github-oauth-ui:
    client-id: REDACTED
    client-secret: REDACTED
    token: REDACTED
  htpasswd:
    file: /verdaccio/conf/htpasswd
    algorithm: bcrypt
    # Maximum amount of users allowed to register, defaults to "+infinity".
    # You can set this to -1 to disable registration.
    max_users: -1

packages:
  '@*/*':
    access: github/org/xxx xxx
    publish: github/org/xxx xxx

  '**':
    access: github/org/xxx xxx
    publish: github/org/xxx xxx

# To use `npm audit` uncomment the following section
middlewares:
  github-oauth-ui:
    enabled: true
  audit:
    enabled: true

security:
  api:
    jwt:
      sign:
        expiresIn: 90d
  web:
    sign:
      expiresIn: 7d

# log settings
log: { type: stdout, format: pretty, level: http }
n4bb12 commented 2 years ago

Maybe I misunderstood.

Anybody with a GitHub account can log in to any registry as themselves using v5+ of the plugin. This is intended. This is not what you're referring to?

How does npm adduser play into this? This is not a command that works with GitHub, is it?

Doridian commented 2 years ago

Okay, so, basically what I am saying is.

I (doridian) log into my Verdaccio UI using my GitHub account. I get the expected permissions, everything is good so far.

Now, say, an evil user finds my Verdaccio instance. That evil user now runs npm adduser --registry https://myregistry They then enter my username (doridian) and any password. Now they are logged in as me, with all my permissions.

This should not permit login at all, considering npm adduser is for plain-password login only and no password should be valid. But it seems just ANY password gets accepted.

n4bb12 commented 2 years ago

Okay, thanks for reporting. Trying to reproduce and better understand.

n4bb12 commented 2 years ago

Now they are logged in as me, with all my permissions.

How do you verify that that is the case?

Doridian commented 2 years ago

Now they are logged in as me, with all my permissions.

How do you verify that that is the case?

I ran npm install on several packages (as you can see, my configuration only allows members of a specific org to download all packages). I verified those packages cannot be installed/viewed otherwise (by users outside the org).

Also, in the log after npm adduser, I recevied the following log line (as another data point):

[github-oauth-ui] User successfuly authenticated: {
  name: 'doridian',
  groups: [ '$all', '@all', '$authenticated', '@authenticated' ],
  real_groups: [ 'github/org/xxx' ]
}

(The real_groups containing my org)

To note: This only works after the "real" user has logged in to Verdaccio at least once.

n4bb12 commented 2 years ago

Should be fixed in 5.0.1 by adding this check. Can you confirm the two plugins work in tandem as you would expect?

Doridian commented 2 years ago

Confirmed it now rejects GitHub users correctly in npm adduser.

n4bb12 commented 2 years ago

Note that you can can still npm adduser a GitHub username if htpasswd registration is enabled. The authentication however then runs through htpasswd and the resulting user does not include GitHub groups. I think this is the intended behavior of using multiple auth plugins in tandem.

n4bb12 commented 2 years ago

Thanks again for reporting and insisting 😀