The OIDC implicit-flow authorize request carried no state parameter and
the nonce was generated with weak Math.random() and never validated
client- or server-side, enabling login CSRF / forced authentication /
replay (AUTHZ-VULN-05).
Generate state and nonce with the Web Crypto CSPRNG, send state in the
authorize request, and validate both state and the id_token nonce claim
in the callback before storing tokens. Forward the nonce to /validate-
token so the backend also binds the id_token to the login flow.
Fixes the forged-callback fragment attack where a planted id_token with
a mismatched nonce was accepted, stored, and used by the SPA.
This commit adds detailed instructions on how to create an OAuth application with Infomaniak to obtain the required Client ID and Client Secret.
Fixes#1
- Enhance .gitignore with comprehensive Python patterns
- Improve README with better setup and testing instructions
- Add test infrastructure:
* Test requirements file
* Environment setup script
* Test runner script
* Comprehensive test suite
* Coverage configuration
- Add detailed README.md with project overview, setup instructions, and usage guide
- Add MIT LICENSE file for open-source distribution
- Include .gitignore file for Python and Docker artifacts