verify azure redirect with state

ctrlplanedev · Dec 31, 2024 · 12507d6 · 12507d6
1 parent 69dbdd5
commit 12507d6
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/apps/webservice/src/app/api/azure/[workspaceId]/[tenantId]/[subscriptionId]/[name]/route.ts b/apps/webservice/src/app/api/azure/[workspaceId]/[tenantId]/[subscriptionId]/[name]/route.ts
@@ -1,9 +1,9 @@
+import { randomUUID } from "crypto";
 import type { ResourceScanEvent } from "@ctrlplane/validators/events";
 import { NextResponse } from "next/server";
 import { Queue } from "bullmq";
 import { FORBIDDEN, INTERNAL_SERVER_ERROR, NOT_FOUND } from "http-status";
 import IORedis from "ioredis";
-import * as LZString from "lz-string";
 import ms from "ms";
 
 import { eq, takeFirstOrNull } from "@ctrlplane/db";
@@ -51,10 +51,11 @@ export const GET = async ({ params }: { params: Params }) => {
     .then(takeFirstOrNull);
 
   if (tenant == null) {
-    const configHash = LZString.compressToEncodedURIComponent(
-      JSON.stringify({ workspaceId, tenantId, subscriptionId, name }),
-    );
-    const redirectUrl = `${baseUrl}/api/azure/consent?config=${configHash}`;
+    const state = randomUUID();
+    const config = { workspaceId, tenantId, subscriptionId, name };
+    const configJSON = JSON.stringify(config);
+    await connection.set(`azure_consent_state:${state}`, configJSON, "EX", 900);
+    const redirectUrl = `${baseUrl}/api/azure/consent?state=${state}`;
     const consentUrl = `https://login.microsoftonline.com/${tenantId}/adminconsent?client_id=${clientId}&redirect_uri=${redirectUrl}`;
     return NextResponse.redirect(consentUrl);
   }

diff --git a/apps/webservice/src/app/api/azure/consent/route.ts b/apps/webservice/src/app/api/azure/consent/route.ts
@@ -4,7 +4,6 @@ import { NextResponse } from "next/server";
 import { Queue } from "bullmq";
 import { BAD_REQUEST, INTERNAL_SERVER_ERROR, NOT_FOUND } from "http-status";
 import IORedis from "ioredis";
-import * as LZString from "lz-string";
 import ms from "ms";
 import { z } from "zod";
 
@@ -30,13 +29,15 @@ const configSchema = z.object({
 
 export const GET = async (req: NextRequest) => {
   const { searchParams } = new URL(req.url);
-  const config = searchParams.get("config");
+  const state = searchParams.get("state");
 
-  if (!config) return NextResponse.json({ status: BAD_REQUEST });
+  if (!state) return NextResponse.json({ status: BAD_REQUEST });
 
-  const decodedConfig = LZString.decompressFromEncodedURIComponent(config);
-  const parsedConfig = configSchema.safeParse(JSON.parse(decodedConfig));
+  const configJSON = await connection.get(`azure_consent_state:${state}`);
+  if (configJSON == null) return NextResponse.json({ status: BAD_REQUEST });
 
+  const config = JSON.parse(configJSON);
+  const parsedConfig = configSchema.safeParse(config);
   if (!parsedConfig.success) return NextResponse.json({ status: BAD_REQUEST });
 
   const { workspaceId, tenantId, subscriptionId, name } = parsedConfig.data;