add alias suffix anti-tampering to oauth authorize

2020-05-02 12:50:19 +02:00 · 2020-05-02 12:50:19 +02:00 · abeb246b2c
parent 9874422700
commit abeb246b2c
2 changed files with 18 additions and 19 deletions
--- a/app/oauth/templates/oauth/authorize.html
+++ b/app/oauth/templates/oauth/authorize.html
@ -108,7 +108,7 @@
                     style="padding-left: 5px">
                  <select class="form-control" name="suffix">
                    {% for suffix in suffixes %}
-                      <option value="{{ suffix[1] }}">
+                      <option value="{{ suffix[2] }}">
                        {% if suffix[0] %}
                          {{ suffix[1] }} (your domain)
                        {% else %}
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@ -3,10 +3,12 @@ from urllib.parse import urlparse

 from flask import request, render_template, redirect, flash
 from flask_login import current_user
+from itsdangerous import SignatureExpired

 from app.config import EMAIL_DOMAIN, ALIAS_DOMAINS, DISABLE_ALIAS_SUFFIX
 from app.email_utils import get_email_domain_part
 from app.extensions import db
+from app.dashboard.views.custom_alias import available_suffixes, signer
 from app.jose_utils import make_id_token
 from app.log import LOG
 from app.models import (
@ -109,23 +111,8 @@ def authorize():
                user_custom_domains = [
                    cd.domain for cd in current_user.verified_custom_domains()
                ]
-                # List of (is_custom_domain, alias-suffix)
-                suffixes = []
-
-                # put custom domain first
-                for alias_domain in user_custom_domains:
-                    suffixes.append((True, "@" + alias_domain))
-
-                # then default domain
-                for domain in ALIAS_DOMAINS:
-                    suffixes.append(
-                        (
-                            False,
-                            ("" if DISABLE_ALIAS_SUFFIX else "." + random_word())
-                            + "@"
-                            + domain,
-                        )
-                    )
+                # List of (is_custom_domain, alias-suffix, time-signed alias-suffix)
+                suffixes = available_suffixes(current_user)

            return render_template(
                "oauth/authorize.html",
@ -155,7 +142,7 @@ def authorize():
            LOG.d("user %s has already allowed client %s", current_user, client)
        else:
            alias_prefix = request.form.get("prefix")
-            alias_suffix = request.form.get("suffix")
+            signed_suffix = request.form.get("suffix")

            alias = None

@ -165,6 +152,18 @@ def authorize():
                if not current_user.can_create_new_alias():
                    raise Exception(f"User {current_user} cannot create custom email")

+                # hypothesis: user will click on the button in the 300 secs
+                try:
+                    alias_suffix = signer.unsign(signed_suffix, max_age=300).decode()
+                except SignatureExpired:
+                    LOG.error("Alias creation time expired")
+                    flash("Alias creation time is expired, please retry", "warning")
+                    return redirect(request.url)
+                except Exception:
+                    LOG.error("Alias suffix is tampered, user %s", current_user)
+                    flash("Unknown error, refresh the page", "error")
+                    return redirect(request.url)
+
                user_custom_domains = [
                    cd.domain for cd in current_user.verified_custom_domains()
                ]