feat: check session client Origin check

To satisfy a normative requirement the Origin of a valid formatted
postMessage must be checked to be a valid/expected one.

The iframe will now do this check with an XMLHttpRequest to the provider
with the client_id and Origin and will check the Origin to be amongst
the Origins of a given client's registered redirect_uris. This is enough
since the session state computation uses the redirect_uri Origin.

If the client is not found, request is malformed or Origin is not
whitelisted the frame will respond with "error" status back.

Additionally: more format checks are in place to filter out invalid
messages from i.e. trackers.

Additionally: the check_session_iframe debug was removed as it was not
sufficient for debugging anyway.

Author: panva

docs/configuration.md

@@ -849,6 +849,7 @@ provider.use(async (ctx, next) => {
    * `userinfo`
    * `webfinger`
    * `check_session`
+   * `check_session_origin`
    * `client`
    * `discovery`
    *

docs/events.md

@@ -27,6 +27,7 @@ parameters, loaded client or session.
 | registration_delete.error | (error, ctx) | ... whenever a handled error is encountered in the DELETE `registration` endpoint. |
 | userinfo.error | (error, ctx) | ... whenever a handled error is encountered in the `userinfo` endpoint. |
 | check_session.error | (error, ctx) | ... whenever a handled error is encountered in the `check_session` endpoint. |
+| check_session_origin.error | (error, ctx) | ... whenever a handled error is encountered in the `check_session_origin` endpoint. |
 | end_session.success | (ctx) | ... with every success end session request. |
 | end_session.error | (error, ctx) | ... whenever a handled error is encountered in the `end_session` endpoint. |
 | webfinger.error | (error, ctx) | ... whenever a handled error is encountered in the `webfinger` endpoint. |

lib/actions/check_session.js

@@ -1,93 +1,171 @@
 const instance = require('../helpers/weak_cache');
+const bodyParser = require('../shared/selective_body');
+const noCache = require('../shared/no_cache');
+const getParams = require('../shared/assemble_params');
+const presence = require('../helpers/validate_presence');
+const { InvalidRequest, InvalidClient } = require('../helpers/errors');
+
+const PARAM_LIST = new Set(['client_id', 'origin']);
+const buildParams = getParams(PARAM_LIST);
 
 module.exports = function checkSessionAction(provider) {
   const removeHeaders = !instance(provider).configuration('features.sessionManagement.keepHeaders');
   const thirdPartyCheckUrl = instance(provider).configuration('cookies.thirdPartyCheckUrl');
 
-  return async function checkSessionIframe(ctx, next) {
-    const debug = ctx.query.debug !== undefined;
-
-    if (removeHeaders) {
-      ctx.response.remove('X-Frame-Options');
-      const csp = ctx.response.get('Content-Security-Policy');
-      if (csp.includes('frame-ancestors')) {
-        ctx.response.set('Content-Security-Policy', csp.replace(/ ?frame-ancestors [^;]+;/, ''));
+  return {
+    get: async function checkSessionIframe(ctx, next) {
+      if (removeHeaders) {
+        ctx.response.remove('X-Frame-Options');
+        const csp = ctx.response.get('Content-Security-Policy');
+        if (csp.includes('frame-ancestors')) {
+          ctx.response.set('Content-Security-Policy', csp.replace(/ ?frame-ancestors [^;]+;/, ''));
+        }
       }
-    }
 
-    ctx.type = 'html';
-    ctx.body = `<!DOCTYPE html>
-  <html>
-  <head lang="en">
-    <meta charset="UTF-8">
-    <title>Session Management - OP iframe</title>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/jsSHA/2.3.1/sha256.js" integrity="sha256-NyuvLfsvfCfE+ceV6/W19H+qVp3M8c9FzAgj72CW39w=" crossorigin="anonymous"></script>
-  </head>
-  <body>
+      ctx.type = 'html';
+      ctx.body = `<!DOCTYPE html>
+<html>
+<head lang="en">
+<meta charset="UTF-8">
+<title>Session Management - OP iframe</title>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/jsSHA/2.3.1/sha256.js" integrity="sha256-NyuvLfsvfCfE+ceV6/W19H+qVp3M8c9FzAgj72CW39w=" crossorigin="anonymous"></script>
+<script src="https://cdn.polyfill.io/v2/polyfill.min.js?features=fetch&rum=0"></script>
+</head>
+<body>
 
-  <script type="application/javascript">
-    var debug = ${debug};
-    var thirdPartyCookies = true;
+<script type="application/javascript">
+(function () {
+  var thirdPartyCookies = true;
+  var originCheckResult;
 
-    function receiveMessage(e) {
-      if (e.data === 'MM:3PCunsupported') {
-        thirdPartyCookies = false;
-        return;
-      } else if (e.data === 'MM:3PCsupported') {
-        return;
+  function calculate(clientId, origin, actual, salt, cb) {
+    try {
+      if (originCheckResult.clientId !== clientId || originCheckResult.origin !== origin) {
+        throw new Error('client_id and/or origin mismatch');
       }
-      try {
-        var message_parts = e.data.split(' ');
-        var clientId = message_parts[0];
-        var actual = message_parts[1];
-        if (debug && console) console.log('OP recv session state: ' + actual);
-        var salt = actual.split('.')[1];
+      var opbs = getOPBrowserState(clientId);
+      var stat = 'changed';
 
-        var opbs = getOPBrowserState(clientId);
+      if (opbs) {
         var shaObj = new jsSHA('SHA-256', 'TEXT');
-        shaObj.update(clientId + ' ' + e.origin + ' ' + opbs + ' ' + salt);
-        var expected = shaObj.getHash('HEX') + ['.' + salt];
-        if (debug && console) console.log('OP computed session state: ' + expected);
+        shaObj.update(clientId + ' ' + origin + ' ' + opbs + ' ' + salt);
+        var expected = shaObj.getHash('HEX') + '.' + salt;
 
-        var stat;
         if (actual === expected) {
           stat = 'unchanged';
-        } else {
-          stat = 'changed';
         }
+      }
 
-        if (debug && console) console.log('OP status: ' + stat);
+      cb(stat);
+    } catch (err) {
+      cb('error');
+    }
+  }
 
-        e.source.postMessage(stat, e.origin);
-      } catch (err) {
-        e.source.postMessage('error', e.origin);
-      }
+  function check(clientId, origin, actual, salt, cb) {
+    if (!originCheckResult) {
+      fetch(location.pathname, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json; charset=utf-8',
+        },
+        body: JSON.stringify({ client_id: clientId, origin: origin }),
+        redirect: 'error',
+      }).then(function (response) {
+        if (response.ok) {
+          originCheckResult = {
+            origin: origin,
+            clientId: clientId,
+          };
+          calculate(clientId, origin, actual, salt, cb);
+        } else {
+          throw new Error('invalid client_id and/or origin');
+        }
+      }).catch(function () {
+        cb('error');
+      });
+    } else {
+      calculate(clientId, origin, actual, salt, cb);
     }
+  }
 
-    function getOPBrowserState(clientId) {
-      var cookie = readCookie('${provider.cookieName('state')}.' + clientId);
-      if (debug && console) console.log('session state cookie: ' + cookie);
-      if (!thirdPartyCookies && !cookie) throw new Error('third party cookies are most likely blocked');
-      return cookie;
+  function receiveMessage(e) {
+    if (typeof e.data !== 'string') {
+      return;
+    }
+    if (e.data === 'MM:3PCunsupported') {
+      thirdPartyCookies = false;
+      return;
+    }
+    if (e.data === 'MM:3PCsupported') {
+      return;
+    }
+    var parts = e.data.split(' ');
+    var clientId = parts[0];
+    var actual = parts[1];
+    if (parts.length !== 2 || !clientId || !actual) {
+      return;
+    }
+    var actualParts = actual.split('.');
+    var sessionStr = actualParts[0];
+    var salt = actualParts[1];
+    if (actualParts.length !== 2 || !salt || !sessionStr) {
+      return;
     }
+    check(clientId, e.origin, actual, salt, function (stat) {
+      e.source.postMessage(stat, e.origin);
+    });
+  }
 
-    function readCookie(name) {
-      var nameEQ = name + "=";
-      var ca = document.cookie.split(';');
-      for(var i=0;i < ca.length;i++) {
-        var c = ca[i];
-        while (c.charAt(0)==' ') c = c.substring(1,c.length);
-        if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
-      }
-      return null;
+  function getOPBrowserState(clientId) {
+    var cookie = readCookie('${provider.cookieName('state')}.' + clientId);
+    if (!thirdPartyCookies && !cookie) throw new Error('third party cookies are most likely blocked');
+    return cookie;
+  }
+
+  function readCookie(name) {
+    var nameEQ = name + '=';
+    var ca = document.cookie.split(';');
+    for (var i=0; i < ca.length; i++) {
+      var c = ca[i];
+      while (c.charAt(0) === ' ') c = c.substring(1, c.length);
+      if (c.indexOf(nameEQ) === 0) return c.substring(nameEQ.length, c.length);
     }
+    return null;
+  }
 
-    window.addEventListener('message', receiveMessage, false);
-  </script>
-  <iframe src="${thirdPartyCheckUrl}" style="display:none" />
+  window.addEventListener('message', receiveMessage, false);
+})();
+</script>
+<iframe src="${thirdPartyCheckUrl}" style="display:none" />
 
-  </body>
-  </html>`;
-    await next();
+</body>
+</html>`;
+      await next();
+    },
+    post: [
+      noCache,
+      bodyParser('application/json'),
+      buildParams,
+      async function checkClientOrigin(ctx, next) {
+        presence(ctx, 'origin', 'client_id');
+        const { client_id: clientId, origin } = ctx.oidc.params;
+        [clientId, origin].forEach((value) => {
+          if (typeof value !== 'string') {
+            throw new InvalidRequest('only string parameter values are expected');
+          }
+        });
+        const client = await provider.Client.find(clientId);
+        ctx.oidc.entity('Client', client);
+        if (!client) {
+          throw new InvalidClient();
+        }
+        if (!client.redirectUriOrigins.has(origin)) {
+          throw new InvalidRequest('origin not allowed', 403);
+        }
+        ctx.status = 204;
+        await next();
+      },
+    ],
   };
 };

lib/actions/index.js

@@ -9,6 +9,7 @@ const getWebfinger = require('./webfinger');
 const getDiscovery = require('./discovery');
 const getCheckSession = require('./check_session');
 const getEndSession = require('./end_session');
+const getCodeVerification = require('./code_verification');
 
 module.exports = {
   getAuthorization,
@@ -22,4 +23,5 @@ module.exports = {
   getDiscovery,
   getCheckSession,
   getEndSession,
+  getCodeVerification,
 };

lib/helpers/initialize_app.js

@@ -4,20 +4,12 @@ const Router = require('koa-router');
 const getCors = require('@koa/cors');
 
 const { homepage, version } = require('../../package.json');
-const getAuthorization = require('../actions/authorization');
-const getUserinfo = require('../actions/userinfo');
-const getToken = require('../actions/token');
-const getCertificates = require('../actions/certificates');
-const getRegistration = require('../actions/registration');
-const getRevocation = require('../actions/revocation');
-const getIntrospection = require('../actions/introspection');
-const getWebfinger = require('../actions/webfinger');
-const getDiscovery = require('../actions/discovery');
-const getCheckSession = require('../actions/check_session');
-const getEndSession = require('../actions/end_session');
+const {
+  getAuthorization, getUserinfo, getToken, getCertificates, getRegistration, getRevocation,
+  getIntrospection, getWebfinger, getDiscovery, getCheckSession, getEndSession, getCodeVerification,
+} = require('../actions');
 const getInteraction = require('../actions/interaction');
 const grants = require('../actions/grants');
-const getCodeVerification = require('../actions/code_verification');
 const responseModes = require('../response_modes');
 const error = require('../shared/error_handler');
 const getAuthError = require('../shared/authorization_error_handler');
@@ -150,8 +142,9 @@ module.exports = function initializeApp() {
   }
 
   if (configuration.features.sessionManagement) {
-    const checkFrame = getCheckSession(this);
-    get('check_session', routes.check_session, error(this, 'check_session.error'), checkFrame);
+    const checkSession = getCheckSession(this);
+    get('check_session', routes.check_session, error(this, 'check_session.error'), checkSession.get);
+    post('check_session_origin', routes.check_session, error(this, 'check_session_origin.error'), ...checkSession.post);
 
     const endSession = getEndSession(this);
     get('end_session', routes.end_session, error(this, 'end_session.error'), ...endSession.get);

lib/models/client.js

@@ -313,6 +313,20 @@ module.exports = function getClient(provider) {
       return this.redirectUris.includes(checkedUri);
     }
 
+    get redirectUriOrigins() {
+      if ('redirectUriOrigins' in instance(this)) {
+        return instance(this).redirectUriOrigins;
+      }
+
+      instance(this).redirectUriOrigins = this.redirectUris.reduce((acc, uri) => {
+        const { origin } = new URL(uri);
+        acc.add(origin);
+        return acc;
+      }, new Set());
+
+      return instance(this).redirectUriOrigins;
+    }
+
     webMessageUriAllowed(webMessageUri) {
       return this.webMessageUris && this.webMessageUris.includes(webMessageUri);
     }

test/session_management/authorization.test.js

@@ -37,33 +37,5 @@ describe('session management', () => {
           });
       });
     });
-
-    describe('[session_management] check_session_iframe', () => {
-      before(function () {
-        this.provider.use(async (ctx, next) => {
-          ctx.response.set('X-Frame-Options', 'SAMEORIGIN');
-          ctx.response.set('Content-Security-Policy', "default-src 'none'; frame-ancestors 'self' example.com *.example.net; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
-          await next();
-        });
-      });
-
-      it('responds with frameable html', function () {
-        return this.agent.get('/session/check')
-          .expect(200)
-          .expect('content-type', /text\/html/)
-          .expect((response) => {
-            expect(response.headers['x-frame-options']).not.to.be.ok;
-            expect(response.headers['content-security-policy']).not.to.match(/frame-ancestors/);
-          });
-      });
-
-      it('does not populate ctx.oidc.entities', function (done) {
-        this.provider.use(this.assertOnce((ctx) => {
-          expect(ctx.oidc.entities).to.be.empty;
-        }, done));
-
-        this.agent.get('/session/check').end(() => {});
-      });
-    });
   });
 });