fix(security): CSPRNG for PKCE/state + OAuth improvements#1030
Open
AlexZander85 wants to merge 7 commits intoRightNow-AI:mainfrom
Open
fix(security): CSPRNG for PKCE/state + OAuth improvements#1030AlexZander85 wants to merge 7 commits intoRightNow-AI:mainfrom
AlexZander85 wants to merge 7 commits intoRightNow-AI:mainfrom
Conversation
Ports OAuth authentication from ZeroClaw: - OpenAI Codex (ChatGPT subscription) - device code flow + PKCE - Gemini (Google OAuth) - device code flow - Qwen (Alibaba) - reads from ~/.qwen/oauth_creds.json - MiniMax - refresh token based authentication Implements: - Device code start/poll functions for each provider - PKCE code verifier/challenge generation - Token refresh logic - OAuthTokenSet struct for vault storage Note: Full workspace build blocked by pre-existing mcp.rs error (StreamableHttpClientTransportConfig non-exhaustive struct)
… mcp.rs - Fix mcp.rs StreamableHttpClientTransportConfig non-exhaustive struct - Add oauth_providers.rs with device code flows for 4 OAuth providers - Add API routes for OAuth start/poll endpoints in server.rs and routes.rs - Add OAuth UI buttons to settings.js dashboard - Add OAuth provider configs to drivers/mod.rs with oauth_provider field - Update index_body.html with OAuth login buttons for each provider
- Replace SystemTime-based pseudo-random with OsRng - generate_pkce() now uses rand::rngs::OsRng.fill_bytes() - generate_state() now uses OsRng (128-bit entropy) - Fix MiniMax stub with clearer error messages - Add tests for uniqueness (CSPRNG verification) Addresses security audit findings: - CRITICAL: Weak PKCE code verifier generation - CRITICAL: Weak state parameter generation
…docs - OAuth /start endpoints now cost 100 tokens (prevents device code spam) - OAuth /poll endpoints cost 1 token (normal polling) - Clarified Qwen is file-based token import, not true OAuth flow - Added rate limiter tests for OAuth endpoints - Updated module docs to explain Qwen and MiniMax limitations
- Resolve merge conflicts in drivers/mod.rs, mcp.rs, index_body.html - Add oauth_provider field to ProviderDefaults struct - Fix clippy: &PathBuf -> &Path, unnecessary_cast, redundant_closure, collapsible_if, manual_contains, dead_code warnings - Add missing novita/novita-ai provider defaults entry - Fix huggingface env var: HF_API_KEY -> HF_TOKEN (match upstream) - Remove orphaned i18n routes (not in this PR scope) - Fix unused variable warnings in OAuth route handlers - Apply cargo fmt
Contributor
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes critical security vulnerabilities found in security audit of #1025.
Security Fixes (CRITICAL)
and::rngs::OsRng.fill_bytes()\ per RFC 7636 and RFC 6749
Changes
Testing
\\�ash
cargo test -p openfang-runtime -- oauth
6 tests passed including pkce_uniqueness and state_uniqueness
\\
Addresses Audit Findings
Co-authored-by: Security Audit security@openfang.sh