pixelfed

Commit Graph

Author	SHA1	Message	Date
Gavin Mogan	70584b47c5	Fixes for items highlighted by review.ai * Consider using `hash_equals()` instead of `==` when comparing the state values to prevent timing attacks: `abort_unless(hash_equals($request->input('state'), $request->session()->pull('oauth2state')), 400, 'invalid state');` * For better data integrity, consider adding a foreign key constraint to the user_id column: `$table- >foreign('user_id')->references('id')->on('users')->onDelete('cascade');` * Does the OIDC provider guarantee that the username field exists in the userInfo data? Consider adding a null check or fallback: `$userInfoData[config('remote-auth.oidc.field_username')] ?? null`	7 months ago
Gavin Mogan	441c8e0d4c	Generic OIDC Support * Everything should be configurable by env variables * Basic request tests	7 months ago

Author

SHA1

Message

Date

Gavin Mogan

70584b47c5

Fixes for items highlighted by review.ai

* Consider using `hash_equals()` instead of `==` when comparing the state values to prevent timing attacks:
`abort_unless(hash_equals($request->input('state'), $request->session()->pull('oauth2state')), 400, 'invalid
state');`
* For better data integrity, consider adding a foreign key constraint to the user_id column: `$table-
>foreign('user_id')->references('id')->on('users')->onDelete('cascade');`
* Does the OIDC provider guarantee that the username field exists in the userInfo data? Consider adding a
null check or fallback: `$userInfoData[config('remote-auth.oidc.field_username')] ?? null`

Gavin Mogan

441c8e0d4c

Generic OIDC Support

* Everything should be configurable by env variables
* Basic request tests

2 Commits (b3c27815788e4b47e7eb3fca727d817512cf26c2)