Commit Graph

4 Commits

Author SHA1 Message Date
herel 1a807cfeb4 fix(security): add nonce-uniqueness test and fix caller indentation 2026-07-08 13:57:28 +02:00
herel d8c947f88f fix(security): add nonce-based CSP header to frontend route 2026-07-08 13:50:23 +02:00
herel baef35115a fix(oidc): Add state parameter and validate nonce against login CSRF
The OIDC implicit-flow authorize request carried no state parameter and
the nonce was generated with weak Math.random() and never validated
client- or server-side, enabling login CSRF / forced authentication /
replay (AUTHZ-VULN-05).

Generate state and nonce with the Web Crypto CSPRNG, send state in the
authorize request, and validate both state and the id_token nonce claim
in the callback before storing tokens. Forward the nonce to /validate-
token so the backend also binds the id_token to the login flow.

Fixes the forged-callback fragment attack where a planted id_token with
a mismatched nonce was accepted, stored, and used by the SPA.
2026-07-08 13:34:31 +02:00
herel 0e3311df8e docs: update README and add test infrastructure
- Enhance .gitignore with comprehensive Python patterns
- Improve README with better setup and testing instructions
- Add test infrastructure:
  * Test requirements file
  * Environment setup script
  * Test runner script
  * Comprehensive test suite
  * Coverage configuration
2025-08-08 10:54:56 +02:00