@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state

Main / @fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state

Discription

### Impact

All versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all users.
The purpose of the Oauth2 `state` parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user’s session in some way that will allow the server to validate it.

### Patches

v7.2.0 changes the default behavior to store the `state` in a cookie with the `http-only` and `same-site=lax` attributes set. The state is now by default generated for every user.

Note that this contains a breaking change in the `checkStateFunction` function, which now accepts the full `Request` object.

### Workarounds

There are no known workarounds.

### References

* [Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters](https://auth0.com/docs/secure/attack-protection/state-parameters)Read More

References

Back to Main

Subscribe for the latest news: