From 598ebabc5c102c36207dc54f6938bb783d14e55f Mon Sep 17 00:00:00 2001
From: Polianin Nikita <nikitkapolyanin@yandex.ru>
Date: Wed, 18 Dec 2024 07:24:33 +0300
Subject: [PATCH] sec: use HMAC to encrypt state

---
 Security/DependencyInjection.cs   |  2 +-
 Security/Services/OAuthService.cs | 19 +++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/Security/DependencyInjection.cs b/Security/DependencyInjection.cs
index aa36553..dc87c7d 100644
--- a/Security/DependencyInjection.cs
+++ b/Security/DependencyInjection.cs
@@ -61,7 +61,7 @@ public static class DependencyInjection
             providers.Add(provider, (clientId, secret));
         }
 
-        services.AddSingleton(provider => new OAuthService(provider.GetRequiredService<ILogger<OAuthService>>(), providers));
+        services.AddSingleton(provider => new OAuthService(provider.GetRequiredService<ILogger<OAuthService>>(), providers, configuration["SECURITY_ENCRYPTION_TOKEN"]!));
 
         return services;
     }
diff --git a/Security/Services/OAuthService.cs b/Security/Services/OAuthService.cs
index b23d9da..b2ef0ee 100644
--- a/Security/Services/OAuthService.cs
+++ b/Security/Services/OAuthService.cs
@@ -10,13 +10,15 @@ using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security;
+using System.Security.Cryptography;
+using System.Text;
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 
 namespace Mirea.Api.Security.Services;
 
-public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider, (string ClientId, string Secret)> providers)
+public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider, (string ClientId, string Secret)> providers, string secretKey)
 {
     private static readonly Dictionary<OAuthProvider, OAuthProviderUrisData> ProviderData = new()
     {
@@ -97,6 +99,12 @@ public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider
         return userInfo?.MapToInternalUser();
     }
 
+    private static string GetHmacString(RequestContextInfo contextInfo, string secretKey)
+    {
+        var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey));
+        return Convert.ToBase64String(hmac.ComputeHash(
+            Encoding.UTF8.GetBytes($"{contextInfo.Fingerprint}_{contextInfo.Ip}_{contextInfo.UserAgent}")));
+    }
 
     public Uri GetProviderRedirect(HttpContext context, CookieOptionsParameters cookieOptions, string redirectUri, OAuthProvider provider)
     {
@@ -106,7 +114,7 @@ public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider
                                 "&response_type=code" +
                                 $"&redirect_uri={redirectUri}" +
                                 $"&scope={ProviderData[provider].Scope}" +
-                                $"&state={new RequestContextInfo(context, cookieOptions).Fingerprint}_{Enum.GetName(provider)}";
+                                $"&state={GetHmacString(new RequestContextInfo(context, cookieOptions), secretKey)}_{Enum.GetName(provider)}";
 
 
 
@@ -121,8 +129,6 @@ public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider
 
     public async Task<(OAuthProvider provider, OAuthUser User)> LoginOAuth(HttpContext context, CookieOptionsParameters cookieOptions, string redirectUrl, string code, string state, CancellationToken cancellation = default)
     {
-        var requestContext = new RequestContextInfo(context, cookieOptions);
-
         var partsState = state.Split('_');
 
         if (!Enum.TryParse<OAuthProvider>(partsState.Last(), true, out var provider) ||
@@ -133,9 +139,10 @@ public class OAuthService(ILogger<OAuthService> logger, Dictionary<OAuthProvider
             throw new InvalidOperationException("Invalid authorization request.");
         }
 
-        var fingerprint = string.Join("_", partsState.SkipLast(1));
+        var secretStateData = string.Join("_", partsState.SkipLast(1));
+        var secretData = GetHmacString(new RequestContextInfo(context, cookieOptions), secretKey);
 
-        if (requestContext.Fingerprint != fingerprint)
+        if (secretData != secretStateData)
         {
             logger.LogWarning("Fingerprint mismatch. Possible CSRF attack detected.");
             throw new SecurityException("Suspicious activity detected. Please try again.");