BUG: [Security] Critical: Login CSRF vulnerability in OAuth flow (Missing 'state' parameter) #268
Description
Is there an existing issue for this?
- I have searched the existing issues
What happened?
📌 Issue Overview
The current GitHub OAuth implementation in
backend/integrations/discord/cogs.py
and
backend/app/api/v1/auth.py
is vulnerable to Login CSRF / Session Fixation attacks. The flow relies solely on a session_id embedded in the redirect_uri to bind the Discord verification request to the GitHub callback, without validating the standard OAuth state parameter (RFC 6749).
This allows an attacker to force a victim's Discord account to be linked to the attacker's GitHub account by tricking them into clicking a valid callback link.
🔍 Steps to Reproduce
Initiate Verification: Run /verify_github in Discord to generate a verification link.
Inspect URL: Analyze the generated OAuth URL.
Code Verification: Inspect
backend/integrations/discord/cogs.py
at line 150.
auth_url_data = await login_with_github(redirect_to=callback_url)
The Error: the
login_with_github
function supports a state parameter, but it is not passed.
🎯 Expected Behavior
The OAuth initialization should generate a cryptographically secure random state token, store it (e.g., in Redis) with a short expiration, and pass it to GitHub. The callback endpoint should verify that the returned state matches the stored token before processing the linkage.
🚨 Actual Behavior
The state parameter is defined as Optional in
backend/app/services/auth/supabase.py
and is never passed by the
verify_github
command. The backend accepts any valid code + session_id pair without verifying the origin of the request.
🔗 Verification Evidence
I verified this using a script that imports the actual project code.
Source Code Check (
cogs.py
): Line 150 calls
login_with_github
with ONLY redirect_to. The state argument is absent.
Execution Check (
supabase.py
): When running the actual backend logic, the generated URL sent to the provider is:
Provider: github
Options: {'redirect_to': '.../callback'}
State Parameter: MISSING
This confirms the vulnerability exists in the live codebase.
💡 Suggested Improvements
Generate State: In
cogs.py
, generate state = secrets.token_urlsafe(32).
Store It: Save redis.setex(f"oauth_state:{state}", 300, session_id).
Pass It: Update correct call: await login_with_github(..., state=state).
Validate It: Update auth_callback in auth.py to Depends(verify_state_token).
Record
- I agree to follow this project's Code of Conduct
- I want to work on this issue