Merge commit from fork

Author: Bekacru

packages/core/src/lib/actions/callback/oauth/checks.ts

@@ -15,6 +15,12 @@ import type { WebAuthnProviderType } from "../../../../providers/webauthn.js"
 
 interface CookiePayload {
   value: string
+  /**
+   * The id of the provider that created this cookie. Since the cookie names
+   * are not provider-specific, the id is stored in the sealed payload and
+   * checked on callback.
+   */
+  provider?: string
 }
 
 const COOKIE_TTL = 60 * 15 // 15 minutes
@@ -40,7 +46,10 @@ async function sealCookie(
   const encoded = await encode({
     ...options.jwt,
     maxAge: COOKIE_TTL,
-    token: { value: payload } satisfies CookiePayload,
+    token: {
+      value: payload,
+      provider: options.provider.id,
+    } satisfies CookiePayload,
     salt: cookie.name,
   })
   const cookieOptions = { ...cookie.options, expires }
@@ -62,8 +71,15 @@ async function parseCookie(
       token: value,
       salt: cookies[name].name,
     })
-    if (parsed?.value) return parsed.value
-    throw new Error("Invalid cookie")
+    if (!parsed?.value) throw new Error("Invalid cookie")
+    // The check must have been created by the provider currently handling
+    // the callback.
+    if (parsed.provider !== options.provider?.id) {
+      throw new Error(
+        `${name} cookie was created for a different provider than the one handling the callback`
+      )
+    }
+    return parsed.value
   } catch (error) {
     throw new InvalidCheck(`${name} value could not be parsed`, {
       cause: error,

packages/core/test/actions/callback.test.ts

@@ -6,7 +6,11 @@ import Credentials from "../../src/providers/credentials.js"
 import { logger, makeAuthRequest, testConfig } from "../utils.js"
 import { skipCSRFCheck } from "../../src/index.js"
 import { CredentialsSignin, InvalidCheck } from "../../src/errors.js"
-import { state } from "../../src/lib/actions/callback/oauth/checks.js"
+import {
+  nonce,
+  pkce,
+  state,
+} from "../../src/lib/actions/callback/oauth/checks.js"
 
 describe("assert GET callback action", () => {
   beforeEach(() => {
@@ -149,6 +153,70 @@ describe("assert GET callback action", () => {
   })
 })
 
+describe("OAuth check cookies are bound to their provider", () => {
+  const cookieOptions = { secure: true, sameSite: "lax" as const, httpOnly: true }
+  const cookies = {
+    state: { name: "authjs.state", options: cookieOptions },
+    nonce: { name: "authjs.nonce", options: cookieOptions },
+    pkceCodeVerifier: {
+      name: "authjs.pkce.code_verifier",
+      options: cookieOptions,
+    },
+  }
+
+  function optionsFor(id: string, checks: Array<"state" | "nonce" | "pkce">) {
+    return {
+      logger,
+      provider: { id, checks },
+      jwt: { secret: "secret" },
+      cookies,
+    } as any
+  }
+
+  it("accepts a state cookie on the same provider's callback", async () => {
+    const created = (await state.create(optionsFor("github", ["state"]))) as any
+    const value = await state.use(
+      { [cookies.state.name]: created.cookie.value },
+      [],
+      optionsFor("github", ["state"])
+    )
+    expect(value).toBe(created.value)
+  })
+
+  it("rejects a state cookie minted for a different provider", async () => {
+    const created = (await state.create(optionsFor("github", ["state"]))) as any
+    await expect(
+      state.use(
+        { [cookies.state.name]: created.cookie.value },
+        [],
+        optionsFor("google", ["state"])
+      )
+    ).rejects.toThrow(InvalidCheck)
+  })
+
+  it("rejects a nonce cookie minted for a different provider", async () => {
+    const created = (await nonce.create(optionsFor("github", ["nonce"]))) as any
+    await expect(
+      nonce.use(
+        { [cookies.nonce.name]: created.cookie.value },
+        [],
+        optionsFor("google", ["nonce"])
+      )
+    ).rejects.toThrow(InvalidCheck)
+  })
+
+  it("rejects a PKCE verifier cookie minted for a different provider", async () => {
+    const created = (await pkce.create(optionsFor("github", ["pkce"]))) as any
+    await expect(
+      pkce.use(
+        { [cookies.pkceCodeVerifier.name]: created.cookie.value },
+        [],
+        optionsFor("google", ["pkce"])
+      )
+    ).rejects.toThrow(InvalidCheck)
+  })
+})
+
 describe("assert POST callback action", () => {
   describe("Credentials provider", () => {
     it("should return error=CredentialSignin and code=credentials if authorize returns null", async () => {