Reject cookies from third-party applications.

RubenVerborgh · RubenVerborgh · commit de38bf87d858 · 2017-07-25T17:09:00.000-04:00
Otherwise, when a user is logged in to their Solid server, any third-party application could perform authenticated requests without permission by including the credentials set by the Solid server. Closes #524. Breaking change, needs new semver-major.
diff --git a/lib/create-app.js b/lib/create-app.js
@@ -20,6 +20,7 @@ const OidcManager = require('./models/oidc-manager')
 const config = require('./server-config')
 const defaults = require('../config/defaults')
 const options = require('./handlers/options')
+const debug = require('./debug').authentication
 
 const corsSettings = cors({
   methods: [
@@ -143,9 +144,29 @@ function initViews (app, configPath) {
 function initWebId (argv, app, ldp) {
   config.ensureWelcomePage(argv)
 
-  // Use session cookies
+  // Store the user's session key in a cookie
+  // (for same-domain browsing by people only)
   const useSecureCookies = argv.webid  // argv.webid forces https and secure cookies
-  app.use(session(sessionSettings(useSecureCookies, argv.host)))
+  const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
+  app.use((req, res, next) => {
+    sessionHandler(req, res, () => {
+      // Reject cookies from third-party applications.
+      // Otherwise, when a user is logged in to their Solid server,
+      // any third-party application could perform authenticated requests
+      // without permission by including the credentials set by the Solid server.
+      const origin = req.headers.origin
+      const userId = req.session.userId
+      if (!argv.host.allowsSessionFor(userId, origin)) {
+        debug(`Rejecting session for ${userId} from ${origin}`)
+        // Destroy session data
+        delete req.session.userId
+        delete req.session.identified
+        // Ensure this modified session is not saved
+        req.session.save = (done) => done()
+      }
+      next()
+    })
+  })
 
   let accountManager = AccountManager.from({
     authMethod: argv.auth,
diff --git a/lib/models/solid-host.js b/lib/models/solid-host.js
@@ -61,6 +61,25 @@ class SolidHost {
     }
     return this.parsedUri.protocol + '//' + accountName + '.' + this.host
   }
+  /**
+   * Determines whether the given user is allowed to restore a session
+   * from the given origin.
+   *
+   * @param userId {?string}
+   * @param origin {?string}
+   * @return {boolean}
+   */
+  allowsSessionFor (userId, origin) {
+    // Allow no user or an empty origin
+    if (!userId || !origin) return true
+    // Allow the server's main domain
+    if (origin === this.serverUri) return true
+    // Allow the user's subdomain
+    const userIdHost = userId.replace(/([^:/])\/.*/, '$1')
+    if (origin === userIdHost) return true
+    // Disallow everything else
+    return false
+  }
 
   /**
    * Returns the /authorize endpoint URL object (used in login requests, etc).
diff --git a/test/integration/authentication-oidc.js b/test/integration/authentication-oidc.js
@@ -145,18 +145,106 @@ describe('Authentication API (OIDC)', () => {
       fs.removeSync(path.join(aliceDbPath, 'users/users'))
     })
 
-    it('should login and be redirected to /authorize', (done) => {
-      alice.post('/login/password')
-        .type('form')
-        .send({ username: 'alice' })
-        .send({ password: alicePassword })
-        .expect(302)
-        .expect('set-cookie', /connect.sid/)
-        .end((err, res) => {
-          let loginUri = res.header.location
-          expect(loginUri.startsWith(aliceServerUri + '/authorize'))
-          done(err)
+    describe('after performing a correct login', () => {
+      let response, cookie
+      before(done => {
+        aliceUserStore.initCollections()
+        aliceUserStore.createUser(aliceAccount, alicePassword)
+        alice.post('/login/password')
+          .type('form')
+          .send({ username: 'alice' })
+          .send({ password: alicePassword })
+          .end((err, res) => {
+            response = res
+            cookie = response.headers['set-cookie'][0]
+            done(err)
+          })
+      })
+
+      it('should redirect to /authorize', () => {
+        const loginUri = response.headers.location
+        expect(response).to.have.property('status', 302)
+        expect(loginUri.startsWith(aliceServerUri + '/authorize'))
+      })
+
+      it('should set the cookie', () => {
+        expect(cookie).to.match(/connect.sid=/)
+      })
+
+      it('should set the cookie with HttpOnly', () => {
+        expect(cookie).to.match(/HttpOnly/)
+      })
+
+      it('should set the cookie with Secure', () => {
+        expect(cookie).to.match(/Secure/)
+      })
+
+      describe('and performing a subsequent request', () => {
+        describe('without that cookie', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 401', () => {
+            expect(response).to.have.property('status', 401)
+          })
+        })
+
+        describe('with that cookie and a non-matching origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .set('Origin', bobServerUri)
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 401', () => {
+            expect(response).to.have.property('status', 401)
+          })
+        })
+
+        describe('with that cookie but without origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 200', () => {
+            expect(response).to.have.property('status', 200)
+          })
+        })
+
+        describe('with that cookie and a matching origin', () => {
+          let response
+          before(done => {
+            alice.get('/')
+              .set('Cookie', cookie)
+              .set('Origin', aliceServerUri)
+              .end((err, res) => {
+                response = res
+                done(err)
+              })
+          })
+
+          it('should return a 200', () => {
+            expect(response).to.have.property('status', 200)
+          })
         })
+      })
     })
 
     it('should throw a 400 if no username is provided', (done) => {
diff --git a/test/resources/accounts-scenario/alice/.acl b/test/resources/accounts-scenario/alice/.acl
@@ -1,5 +1,5 @@
 <#Owner>
  a <http://www.w3.org/ns/auth/acl#Authorization> ;
  <http://www.w3.org/ns/auth/acl#accessTo> <./>;
- <http://www.w3.org/ns/auth/acl#agent> <https://127.0.0.1:5000/profile/card#me>;
- <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .
+ <http://www.w3.org/ns/auth/acl#agent> <https://localhost:7000/profile/card#me>;
+ <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .
diff --git a/test/unit/solid-host.js b/test/unit/solid-host.js
@@ -26,7 +26,7 @@ describe('SolidHost', () => {
     })
   })
 
-  describe('uriForAccount()', () => {
+  describe('accountUriFor()', () => {
     it('should compose an account uri for an account name', () => {
       let config = {
         serverUri: 'https://test.local'
@@ -42,6 +42,39 @@ describe('SolidHost', () => {
     })
   })
 
+  describe('allowsSessionFor()', () => {
+    let host
+    before(() => {
+      host = SolidHost.from({
+        serverUri: 'https://test.local'
+      })
+    })
+
+    it('should allow an empty userId and origin', () => {
+      expect(host.allowsSessionFor('', '')).to.be.true
+    })
+
+    it('should allow a userId with empty origin', () => {
+      expect(host.allowsSessionFor('https://user.test.local/profile/card#me', '')).to.be.true
+    })
+
+    it('should allow a userId with the user subdomain as origin', () => {
+      expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://user.test.local')).to.be.true
+    })
+
+    it('should disallow a userId with another subdomain as origin', () => {
+      expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://other.test.local')).to.be.false
+    })
+
+    it('should allow a userId with the server domain as origin', () => {
+      expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://test.local')).to.be.true
+    })
+
+    it('should disallow a userId from a different domain', () => {
+      expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://other.remote')).to.be.false
+    })
+  })
+
   describe('cookieDomain getter', () => {
     it('should return null for single-part domains (localhost)', () => {
       let host = SolidHost.from({
