Enforce/verify state parameter of callback

This fixes a security vulnerability where a malicious actor can bypass authentication via a clickjacking attack (CSRF vulnerability).

Signed-off-by: schema <[email protected]>

SpecialOAuth2Client.php

@@ -92,17 +92,27 @@ private function _redirect() {
 	}
 
 	private function _handleCallback(){
+		global $wgRequest;
+
 		try {
+			$storedState = $wgRequest->getSession()->get('oauth2state');
+			// Enforce the `state` parameter to prevent clickjacking/CSRF
+			if(isset($storedState) && $storedState != $_GET['state']) {
+				if(isset($_GET['state'])) {
+					throw new UnexpectedValueException("State parameter of callback does not match original state");
+				} else {
+					throw new UnexpectedValueException("Required state parameter missing");
+				}
+			}
 
 			// Try to get an access token using the authorization code grant.
 			$accessToken = $this->_provider->getAccessToken('authorization_code', [
 				'code' => $_GET['code']
 			]);
 		} catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) {
-
-			// Failed to get the access token or user details.
+			exit($e->getMessage()); // Failed to get the access token or user details.
+		} catch (UnexpectedValueException $e) {
 			exit($e->getMessage());
-
 		}
 
 		$resourceOwner = $this->_provider->getResourceOwner($accessToken);

extension.json

@@ -1,6 +1,6 @@
 {
 	"name": "MW-OAuth2Client",
-	"version": "0.3",
+	"version": "0.4",
 	"author": [
 		"[http://dekeijzer.org Joost de Keijzer]",
 		"[https://www.mediawiki.org/wiki/User:Nischayn22 Nischay Nahata]",