Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

myecl.fr hard-coded as redirect host on web version no matter the flavor #436

Open
Marc-Andrieu opened this issue Sep 27, 2024 · 2 comments
Open

myecl.fr hard-coded as redirect host on web version no matter the flavor #436

Marc-Andrieu opened this issue Sep 27, 2024 · 2 comments
Labels
bug core This PR change the core login

Comments

@Marc-Andrieu
Copy link
Contributor

Steps to reproduce

On a computer:

  1. Disable your Internet connection
  2. Launch Hyperion locally
  3. Launch Web Titan locally (with dev flavor obviously)
  4. On the CalypSSO login page, realize the redirect URI is https://myecl.fr/static.html (also true for the alpha flavor and on titan.dev.[...].fr)
  5. Try to log in: no access to myecl.fr (prod) makes you unable to use MyECL locally (or any non-prod version)
@Marc-Andrieu Marc-Andrieu added core This PR change the core bug login labels Sep 27, 2024
@Marc-Andrieu
Copy link
Contributor Author

See

Titan/lib/auth/providers/openid_provider.dart

Line 122 in e55fa0c

final String redirectUrlHost = "myecl.fr";

@Marc-Andrieu Marc-Andrieu mentioned this issue Oct 19, 2024
Closed
@Marc-Andrieu
Copy link
Contributor Author

The rationale of this issue is initially to remove a redirection to a specific client since this project is open-source. I'd like the client to redirect to itself (not myecl.fr specifically) when logging in successfully, and that the redirection works as intended.

After multiple failed attempts, here's what I noticed:

  • For Titan specifically, the redirection doesn't redirect as a watchful user would expect. E.g. when logging in on the alpha website, the small window closes after loading https://myecl.fr/static.html so that in practice you're still on the alpha web, although a watchful user would've noticed the redirect URI was actually set to the prod website.
  • However, when changing "myecl.fr" to "example.org" above (L122) AND using https://example.org/static.html in Hyperion's .env, the window redirects perfectly but is NOT closed afterwards.
  • This fact that the window to Hyperion is closed by Titan after loading https://myecl.fr/static.html appears to me as a security issue: someone could create a malicous website which redirects to our SSO with https://myecl.fr/static.html as redirect URI then close the window and be back on the malicious website because Hyperion saw https://myecl.fr/static.html and a structure compatible with AppAuthClient. Perhaps this is impossible given that we can't even have the prod flavor to work (the prod Hyperion does not recognize my local client).

For reference, see #146 and Hyperion#212 about security and overdependence on our infrastructure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug core This PR change the core login
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Marc-Andrieu