Reject cookies from third-party applications.

Otherwise, when a user is logged in to their Solid server,
any third-party application could perform authenticated requests
without permission by including the credentials set by the Solid server.

Closes #524. Breaking change, needs new semver-major.

Author: RubenVerborgh

lib/create-app.js

@@ -20,6 +20,7 @@ const OidcManager = require('./models/oidc-manager')
 const config = require('./server-config')
 const defaults = require('../config/defaults')
 const options = require('./handlers/options')
+const debug = require('./debug').authentication
 
 const corsSettings = cors({
   methods: [
@@ -143,9 +144,24 @@ function initViews (app, configPath) {
 function initWebId (argv, app, ldp) {
   config.ensureWelcomePage(argv)
 
-  // Use session cookies
+  // Store in a session cookie whether the user is logged in
+  // (for direct browsing by people only)
   const useSecureCookies = argv.webid  // argv.webid forces https and secure cookies
-  app.use(session(sessionSettings(useSecureCookies, argv.host)))
+  const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
+  app.use(function (req, res, next) {
+    // Reject cookies from third-party applications.
+    // Otherwise, when a user is logged in to their Solid server,
+    // any third-party application could perform authenticated requests
+    // without permission by including the credentials set by the Solid server.
+    const origin = req.headers.origin
+    const expectedOrigin = `${req.protocol}://${req.headers.host}`
+    if (origin && origin !== expectedOrigin) {
+      debug(`Rejecting cookie for ${expectedOrigin} because it was sent by ${origin}`)
+      req.session = {}
+      return next()
+    }
+    sessionHandler(req, res, next)
+  })
 
   let accountManager = AccountManager.from({
     authMethod: argv.auth,

test/integration/authentication-oidc.js

@@ -145,18 +145,106 @@ describe('Authentication API (OIDC)', () => {
       fs.removeSync(path.join(aliceDbPath, 'users/users'))
     })
 
-    it('should login and be redirected to /authorize', (done) => {
-      alice.post('/login/password')
-        .type('form')
-        .send({ username: 'alice' })
-        .send({ password: alicePassword })
-        .expect(302)
-        .expect('set-cookie', /connect.sid/)
-        .end((err, res) => {
-          let loginUri = res.header.location
-          expect(loginUri.startsWith(aliceServerUri + '/authorize'))
-          done(err)
+    describe('after performing a correct login', () => {
+      let response, cookie
+      before(done => {
+        aliceUserStore.initCollections()
+        aliceUserStore.createUser(aliceAccount, alicePassword)
+        alice.post('/login/password')
+          .type('form')
+          .send({ username: 'alice' })
+          .send({ password: alicePassword })
+          .end((err, res) => {
+            response = res
+            cookie = response.headers['set-cookie'][0]
+            done(err)
+          })
+      })
+
+      it('should redirect to /authorize', () => {
+        const loginUri = response.headers.location
+        expect(response).to.have.property('status', 302)
+        expect(loginUri.startsWith(aliceServerUri + '/authorize'))
+      })
+
+      it('should set the cookie', () => {
+        expect(cookie).to.match(/connect.sid=/)
+      })
+
+      it('should set the cookie with HttpOnly', () => {
+        expect(cookie).to.match(/HttpOnly/)
+      })
+
+      it('should set the cookie with Secure', () => {
+        expect(cookie).to.match(/Secure/)
+      })
+
+      describe('and performing a subsequent request', () => {
+        describe('without that cookie', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 401', () => {
+            expect(response).to.have.property('status', 401)
+          })
+        })
+
+        describe('with that cookie but without origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 200', () => {
+            expect(response).to.have.property('status', 200)
+          })
+        })
+
+        describe('with that cookie and the same origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .set('Origin', aliceServerUri)
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 200', () => {
+            expect(response).to.have.property('status', 200)
+          })
+        })
+
+        describe('with that cookie and a different origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .set('Origin', bobServerUri)
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 401', () => {
+            expect(response).to.have.property('status', 401)
+          })
         })
+      })
     })
 
     it('should throw a 400 if no username is provided', (done) => {

test/resources/accounts-scenario/alice/.acl

@@ -1,5 +1,5 @@
 <#Owner>
  a <http://www.w3.org/ns/auth/acl#Authorization> ;
  <http://www.w3.org/ns/auth/acl#accessTo> <./>;
- <http://www.w3.org/ns/auth/acl#agent> <https://127.0.0.1:5000/profile/card#me>;
- <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .
+ <http://www.w3.org/ns/auth/acl#agent> <https://localhost:7000/profile/card#me>;
+ <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .