fix(security): bind link-github OAuth state to authenticated session#342
Merged
Priyanshu-byte-coder merged 1 commit intoMay 19, 2026
Conversation
The OAuth state generated by /api/auth/link-github was a random nonce with no binding to the authenticated user's session. An attacker who places their state cookie on a victim's browser (via XSS, cookie tossing, or a shared device) could redirect the victim to the callback URL with the attacker's OAuth code and state. The callback would pass the cookie/state match check, then link the attacker's secondary GitHub account to the victim's devtrack profile under the victim's session. Fix: embed session.githubId into the state as <nonce>.<githubId>. The callback now extracts the embedded ID after the cookie/state match and verifies it equals session.githubId. A state generated for user A is therefore rejected when the callback runs under user B's session, regardless of whether the cookie and URL param match. Files changed: - src/app/api/auth/link-github/route.ts: state now includes githubId - src/app/api/auth/link-github/callback/route.ts: verifies embedded ID
|
@anshul23102 is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel. A member of the Team first needs to authorize it. |
Priyanshu-byte-coder
approved these changes
May 19, 2026
Owner
Priyanshu-byte-coder
left a comment
Priyanshu-byte-coder
left a comment
There was a problem hiding this comment.
Solid CSRF mitigation. Embedding githubId in the state nonce and verifying it in the callback prevents cookie-tossing attacks — an attacker's state cookie placed on a victim's browser will fail the ID check. The nonce still provides randomness so state can't be predicted. Correct.
Priyanshu-byte-coder
merged commit ee47873
into
Priyanshu-byte-coder:main
7 checks passed
Priyanshu-byte-coder
added
gssoc:approved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #341
What was wrong
The OAuth `state` in `/api/auth/link-github` was a random nonce with no binding to the authenticated user's session. An attacker who places their state cookie on a victim's browser can redirect the victim to the callback URL with the attacker's OAuth code. The callback passes the cookie/state match check and links the attacker's secondary GitHub account to the victim's devtrack profile under the victim's session.
What changed
`src/app/api/auth/link-github/route.ts`
`src/app/api/auth/link-github/callback/route.ts`
Why this is safe
GitHub IDs are numeric integers and will never contain a `.`, so the `.` format parses unambiguously. The 32-byte random nonce prefix still prevents brute-force state guessing.
Files changed
Type of change