Improve panel auth handling further

Include state to prevent CSRF. Handle edge-cases where you've got multiple tabs open, and you log in using one of them. And make sure you get redirected back to the page you came from.

Author: TheEpicBlock

panel/src/app/(authenticated)/template.tsx

@@ -2,7 +2,7 @@
 
 import { readAuthData, logout, ModfestAuth } from "@/auth_context"
 import { Platform, PlatformContext } from "@/platform";
-import { useRouter } from "next/navigation"
+import { usePathname, useRouter, useSearchParams } from "next/navigation"
 import { createContext, use, useContext, useEffect, useReducer, useState } from "react";
 
 export default function Template({ children }: { children: React.ReactNode }) {
@@ -16,7 +16,8 @@ export default function Template({ children }: { children: React.ReactNode }) {
 			if (a && a.isValid()) {
 				setAuth(a)
 			} else {
-				router.push("/auth/login")
+				var currentUrl = window.location.pathname + window.location.search + window.location.hash
+				router.push(`/auth/login?r=${encodeURIComponent(currentUrl)}`)
 			}
 		}
 	}, [auth])

panel/src/app/auth/auth.ts

@@ -1,6 +1,22 @@
 "use client"
 
-export function getRedirectUrl(): string {
-	// TODO properly handle prerendering here
-	return typeof window !== 'undefined' ? `${window.location.origin}/auth/callback` : ""
+export function getCallbackUrl(): string {
+	return `${window.location.origin}/auth/callback`
 } 
+
+/**
+ * Random value which is generated per-browser and then stored in localStorage.
+ * Only ever generated once (unless the user clears their cache).
+ * 
+ * See the comments in the login page for more information
+ * 
+ * The resulting value is guaranteed to be alphanumeric
+ */
+export function getOauthBrowserKey(): string {
+	var key = localStorage.getItem("oauthbrowserkey");
+	if (!key) {
+		key = crypto.randomUUID().replace("-", "");
+		localStorage.setItem("oauthbrowserkey", key);
+	}
+	return key;
+}

panel/src/app/auth/callback/page.tsx

@@ -1,15 +1,21 @@
 "use client"
 
 import { useEffect, useState } from "react";
-import { getRedirectUrl } from "../auth";
+import { getCallbackUrl, getOauthBrowserKey } from "../auth";
 import { getToken } from "./server_handler";
 import { ModfestAuth } from "@/auth_context";
+import { useRouter } from "next/navigation";
+import { AppRouterInstance } from "next/dist/shared/lib/app-router-context.shared-runtime";
+
+// This page completes the OAUTH flow. This is the page where modrinth redirects the user to once they've
+// logged in
 
 export default function Home() {
+	const router = useRouter()
 	const [failed, setFailed] = useState(false)
 
 	useEffect(() => {
-		authWithModrinthOAuth(setFailed)
+		authWithModrinthOAuth(router, setFailed)
 	}, [])
 
 	if (failed) {
@@ -30,19 +36,42 @@ export default function Home() {
 	);
 }
 
-async function authWithModrinthOAuth(setFailed: (v: boolean) => void) {
+async function authWithModrinthOAuth(router: AppRouterInstance, setFailed: (v: boolean) => void) {
 	const urlParams = new URLSearchParams(window.location.search);
 	const code = urlParams.get("code")
+	const state = urlParams.get("state")
 
-	var modrinthToken = await getToken(code!, getRedirectUrl())
-	if (!("access_token" in modrinthToken) || !("expires_in" in modrinthToken)) {
+	if (!code || !state) {
 		setFailed(true)
 		return
 	}
 
-	const token = new ModfestAuth(modrinthToken["access_token"], modrinthToken["expires_in"])
+	const [securityToken, redirect] = state.split(".", 2)
+	if (securityToken !== getOauthBrowserKey()) {
+		setFailed(true)
+		return
+	}
+
+	var modrinthToken = await getToken(code!, getCallbackUrl())
+	if (!("access_token" in modrinthToken) || !("expires_at" in modrinthToken)) {
+		setFailed(true)
+		return
+	}
+
+	const token = new ModfestAuth(modrinthToken["access_token"], modrinthToken["expires_at"])
 	token.saveLocalStorage()
 
-	// TODO redirect anywhere on site
-	window.location.replace(window.location.origin)
+	redirectBack(router, redirect)
+}
+
+export function redirectBack(router: AppRouterInstance, url: string) {
+	// Quite important, this url is untrusted and we don't want to be redirecting to arbitrary pages
+	if (!url.startsWith("/")) {
+		url = "/"
+	}
+	// We should never redirect back to the authentication flow, that'll give infinite loops
+	if (url.startsWith("/auth")) {
+		url = "/"
+	}
+	router.replace(url)
 }

panel/src/app/auth/callback/server_handler.ts

@@ -1,6 +1,6 @@
 "use server"
 
-export async function getToken(code: string, redirect_uri: string): Promise<ModrinthToken> {
+export async function getToken(code: string, redirect_uri: string): Promise<ModrinthTokenData> {
 	// This function is run on the server, it needs access to the client secret
 	const modrinthApi = process.env.NEXT_PUBLIC_MODRINTH_API
 
@@ -17,11 +17,23 @@ export async function getToken(code: string, redirect_uri: string): Promise<Modr
 			grant_type: "authorization_code"
 		})
 	})
-	return <ModrinthToken>(await result.json())
+	const data = <ModrinthToken>(await result.json())
+	return {
+		access_token: data.access_token,
+		token_type: data.token_type,
+		// Subtract 5 minutes to account for latency between us and modrinth
+		expires_at: Date.now() + data.expires_in - 60*5
+	}
 }
 
 export type ModrinthToken = {
 	access_token: string,
 	token_type: string,
 	expires_in: number
 }
+
+export type ModrinthTokenData = {
+	access_token: string,
+	token_type: string,
+	expires_at: number
+}

panel/src/app/auth/login/inner.tsx

@@ -0,0 +1,100 @@
+"use client"
+import { readAuthData } from "@/auth_context";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { getOauthBrowserKey, getCallbackUrl } from "../auth";
+import { redirectBack } from "../callback/page";
+
+
+export default function Inner(props: {redirect_url: string}) {
+	const router = useRouter()
+	const redirect = props.redirect_url
+	// We redirect the user to OAUTH themselves with modrinth
+	// This is documented on https://docs.modrinth.com/guide/oauth/
+	// The flow is as follows:
+	//  * The user tries to access an authenticated page, they do not have a token in localStorage
+	//  * The user is redirected to this page, the previous page they were on is stored in a query parameter named `r`
+	//  * The user clicks the "log in with Modrinth" button, and gets sent to a modrinth page
+	//  * The user completes the login in modrinth, and is redirected to our special "callback" page
+	//  * The callback page reads the code which modrinth passed through in a query parameter
+	//  * The callback page sends this code to the server, where it's combined with an application secret key to
+	//    obtain a modrinth token
+	//  * The callback page reads the `r` query parameter and redirects back to the original page
+
+	// We want to check if the user got sent here erroneously,
+	// aka if they got authenticated in the meantime
+	const checkLoggedIn = () => {
+		const a = readAuthData()
+		if (a && a.isValid()) {
+			redirectBack(router, redirect)
+		}
+	};
+	useEffect(() => checkLoggedIn(), []); // Wrapped in useEffect so it only runs on client
+
+	// We also want to keep an eye on localStorage. It might be that the user has multiple tabs open,
+	// and logged in on aNextRouter different tab.
+	useEffect(() => {
+		const controller = new AbortController();
+		addEventListener("storage", () => {
+			checkLoggedIn()
+		}, { signal: controller.signal })
+		return () => controller.abort()
+	}, [])
+
+	// These need to be in a useEffect because they must run on the client and not the server
+	const [oauthBrowserKey, setOauthBrowserKey] = useState<string | undefined>(undefined)
+	useEffect(() => {
+		if (!oauthBrowserKey) {
+			setOauthBrowserKey(getOauthBrowserKey())
+		}
+	}, [oauthBrowserKey]);
+
+	const [callbackUrl, setCallbackUrl] = useState<string | undefined>(undefined)
+	useEffect(() => {
+		if (!callbackUrl) {
+			setCallbackUrl(getCallbackUrl())
+		}
+	}, [callbackUrl]);
+
+	if (!callbackUrl) {
+		return <main>
+			<center>
+				<h1>ModFest panel</h1>
+				Log in with Modrinth
+			</center>
+		</main>
+	}
+	
+	// We can provide a "state" parameter to modrinth. This will be passed on unmodified to the callback
+	// We use it for two reasons. Firstly, we insert a random browser-specific value into it.
+	// If we didn't do this, anyone could create a link to our callback page. When someone clicks
+	// that link the callback will blindly assume the token is correct and it'll just be a
+	// confusing mess. So we store some random value in localStorage, and any attacker won't be
+	// able to guess that.
+	// Secondly, we use the state variable to encode the return path. 
+	const state = oauthBrowserKey+"."+redirect
+
+	const queryParams = {
+		// This is the only auth type modrinth supports
+		"response_type": "code",
+		// Identifier for the modrinth app
+		"client_id": process.env.NEXT_PUBLIC_MODRINTH_APP_ID!,
+		// We only want the bare minimum scope, this should also be set in the modrinth application's settings (https://modrinth.com/settings/applications)
+		"scope": "USER_READ",
+		// The state variable (which will be passed on unmodified)
+		"state": state,
+		// The url for our callback page
+		"redirect_uri": callbackUrl,
+	};
+
+  	const oathUrl = `${process.env.NEXT_PUBLIC_MODRINTH_SITE}/auth/authorize?` + Object.entries(queryParams).map(([k,v]) => k+"="+encodeURIComponent(v)).join("&")
+
+	return (
+		<main>
+			<center>
+				<h1>ModFest panel</h1>
+				<a href={oathUrl}>Log in with Modrinth</a>
+			</center>
+		</main>
+	);
+}

panel/src/app/auth/login/page.tsx

@@ -1,26 +1,16 @@
-"use client"
-
-import { getRedirectUrl } from "../auth";
+import Inner from "./inner";
 
 type SearchParams = Promise<{ [key: string]: string | string[] | undefined }>
 type SearchParamProps = {
 	searchParams: SearchParams;
 };
 
-export default function Home(props: SearchParamProps) {
-	const modrinthSite = process.env.NEXT_PUBLIC_MODRINTH_SITE
-	const clientId = process.env.NEXT_PUBLIC_MODRINTH_APP_ID!
-	const callback = getRedirectUrl()
-	const scope = `USER_READ`
-
-  	const oathUrl = `${modrinthSite}/auth/authorize?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(callback)}&scope=${encodeURIComponent(scope)}`
-
-	return (
-		<main>
-			<center>
-				<h1>ModFest panel</h1>
-				<a href={oathUrl}>Log in with Modrinth</a>
-			</center>
-		</main>
-	);
+export default async function Home(props: SearchParamProps) {
+	// We obtain the page to redirect to after this whole ordeal.
+	// If it's not specified we set it to ""
+	var redirect = (await props.searchParams)["r"] ?? ""
+	if (typeof(redirect) !== "string") {
+		redirect = redirect[0]
+	}
+	return <Inner redirect_url={redirect}></Inner>
 }