forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathenvoy_examples.patch
29 lines (27 loc) · 2.66 KB
/
envoy_examples.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
diff --git a/single-page-app/verify.sh b/single-page-app/verify.sh
index 6e188e6..819661e 100755
--- a/single-page-app/verify.sh
+++ b/single-page-app/verify.sh
@@ -149,7 +149,10 @@ test_auth () {
"${proxy_scheme}://localhost:${proxy_port}/login" \
"${curl_args[@]}"
- encoded_state=$(echo -n "{\"url\":\"${proxy_scheme}://localhost:${proxy_port}/login\",\"nonce\":\"12345678\"}" | basenc --base64url --wrap=0 | sed 's/=//g')
+ random=$(head /dev/urandom | xxd -p | head -c 16)
+ hmac=$(echo -n "${random}" | openssl dgst -sha256 -hmac "${HMAC_SECRET}" -binary|base64)
+ csrf_token=${random}.${hmac}
+ encoded_state=$(echo -n "{\"url\":\"${proxy_scheme}://localhost:${proxy_port}/login\",\"csrf_token\":\"${csrf_token}\"}" | basenc --base64url --wrap=0 | sed 's/=//g')
run_log "Fetch the myhub authorization page"
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
@@ -175,10 +178,10 @@ test_auth () {
run_log "Return to the app and receive creds"
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" | grep Location | cut -d= -f2 | cut -d\& -f1)
- RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${encoded_state}")
+ RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=${csrf_token}" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${encoded_state}")
else
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" | grep Location | cut -d= -f2 | cut -d\& -f1)
- RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678")
+ RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=${csrf_token}" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678")
fi
echo "$RESPONSE" | grep "HTTP/1.1 302 Found"
echo "$RESPONSE" | grep "location: ${proxy_scheme}://localhost:${proxy_port}/login"