chore: improve sgid state validation

[zhongliang02]

Context

The SGID OIDC login flow, while currently safe, is prone to open redirect vulnerabilities related to the landingUrl parameter. This URL is passed into the state parameter and is derived from query params. There is insufficient validation in between the steps of the login flow, thus is quite prone to open redirect vulnerabilities.

This has occurred in kampung-spirit recently and could be partially exploitable in armoury.

Approach

To mitigate this, we propose the following changes:

1. Client-side validation: Implement validation of the landingUrl on the client side and fallback to a safe URL.

2. Server-side validation: Add server-side validation in both legs of OIDC and always fallback to a safe URL.

3. Error fallback component: Add validation for the landingUrl in the error fallback component.

Risks

• Disruption to login flow if validation logic is too strict.
• callbackUrlSchema adjusted to fail gracefully and default to HOME.
  • This seems like the intended behavior, but may affect codepaths that relied on callbackUrlSchema throwing errors.

Testing

Happy SGID flow

• Tested login flow on https://starter-5jcverdf5-ogp-tooling.vercel.app/
• Note: oidc callback url is hardcoded to https://ogp-starter-kit.vercel.app/ via env.SGID_REDIRECT_URI, so you need to use the callback code manually like so:

https://starter-5jcverdf5-ogp-tooling.vercel.app/sign-in/sgid/callback?code=YOUR_CODE&state=%7B%22landingUrl%22%3A%22https%3A%2F%2Fstarter-5jcverdf5-ogp-tooling.vercel.app%2Fhome%22%7D

Happy SGID flow with custom path `/404'

• Tested login flow on https://starter-5jcverdf5-ogp-tooling.vercel.app/sign-in?callbackUrl=/404
• Redirects to https://starter-5jcverdf5-ogp-tooling.vercel.app/404 after login

Happy email flow

• Tested email login flow, no issues

Testing client side validation

With bad callbackUrl https://starter-5jcverdf5-ogp-tooling.vercel.app/sign-in?callbackUrl=https://evil.com, the request to sgid login state.landingUrl fallbacks to https://starter-5jcverdf5-ogp-tooling.vercel.app/home

Testing server side validation on leg 1

With bad state.landingUrl submitted to /api/trpc/auth.sgid.login, response redirectUrl has query state {"landingUrl":"https://starter-5jcverdf5-ogp-tooling.vercel.app/home"}

Testing server side validation on leg 2

With bad state.landingUrl submitted to /api/trpc/auth.sgid.callback, response json

[{"result":{"data":{"json":{
  "selectProfileStep": true,
  "redirectUrl": "/sign-in/select-profile?callbackUrl=https%3A%2F%2Fstarter-5jcverdf5-ogp-tooling.vercel.app%2Fhome"
}}}}]

Testing error fallback component

redirectUrl in SgidErrorFallback is sanitized.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
starter-kit	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 3, 2025 10:09am

[datadog-opengovsg]

Datadog Report

Branch report: 01-03-chore_improve_sgid_state_validation
Commit report: a774b01
Test service: starter-kit

✅ 0 Failed, 11 Passed, 0 Skipped, 10.4s Total Time
🔻 Test Sessions change in coverage: 1 decreased (-0.09%)

🔻 Code Coverage Decreases vs Default Branch (1)

• vitest run --coverage 16.34% (-0.09%) - Details

[karrui]

lgtm