feat(backend): use stateless OAuth2 state store (#6098)

2026-04-15 19:02:43 +06:00 · 2026-04-15 19:02:43 +06:00 · 76329eaf31
commit 76329eaf31
parent 5d855f95c9
7 changed files with 289 additions and 60 deletions
--- a/packages/hoppscotch-backend/package.json
+++ b/packages/hoppscotch-backend/package.json
@ -56,7 +56,6 @@
    "cookie-parser": "1.4.7",
    "dotenv": "17.3.1",
    "express": "5.2.1",
-    "express-session": "1.19.0",
    "fp-ts": "2.16.11",
    "graphql": "16.13.1",
    "graphql-query-complexity": "1.1.0",
--- a/packages/hoppscotch-backend/src/auth/stateless-state-store.ts
+++ b/packages/hoppscotch-backend/src/auth/stateless-state-store.ts
@ -0,0 +1,265 @@
+import * as crypto from 'crypto';
+
+/**
+ * Module-level fallback secret for single-instance deployments
+ * where INFRA.SESSION_SECRET is not configured.
+ */
+const FALLBACK_SECRET = crypto.randomBytes(32).toString('hex');
+
+/**
+ * Maximum serialized payload size in bytes.
+ * Prevents oversized state parameters that could break provider redirects
+ * or exceed URL length limits.
+ */
+const MAX_PAYLOAD_BYTES = 2048;
+
+/**
+ * Default cookie name used to bind the OAuth state to a specific browser session.
+ * Prevents login CSRF by ensuring the callback can only be completed
+ * by the same browser that initiated the OAuth flow.
+ */
+const DEFAULT_COOKIE_NAME = '__oauth_nonce';
+
+/**
+ * A stateless OAuth state store for passport strategies.
+ *
+ * Instead of storing state in express-session (MemoryStore), this encodes
+ * the state as a signed, time-limited token passed through the OAuth `state`
+ * query parameter. The token format is: `base64url(payload).base64url(hmac)`.
+ *
+ * CSRF protection: A random nonce is generated per OAuth flow, stored in a
+ * SameSite=Lax HttpOnly cookie, and mixed into the HMAC signature. On
+ * callback, the nonce from the cookie is used to verify the signature,
+ * ensuring the same browser that started the flow completes it.
+ *
+ * This eliminates all server-side session state from the OAuth flow, making
+ * it fully compatible with horizontal scaling (multiple backend instances
+ * behind a load balancer).
+ *
+ * Supports both passport-oauth2 (Google, GitHub, Microsoft) which dispatches
+ * by `.length`, and passport-openidconnect (OIDC) which always calls with 5 args.
+ *
+ * IMPORTANT: For multi-instance deployments, `INFRA.SESSION_SECRET` must be
+ * set to the same value across all instances.
+ */
+export class StatelessStateStore {
+  private readonly secret: string;
+  private readonly maxAgeMs: number;
+  private readonly cookieName: string;
+  private readonly secureCookies: boolean;
+
+  constructor(
+    secret?: string,
+    maxAgeMs: number = 600_000,
+    cookieName?: string,
+    secureCookies?: boolean,
+  ) {
+    if (!secret) {
+      if (process.env.NODE_ENV === 'production') {
+        throw new Error(
+          'StatelessStateStore: INFRA.SESSION_SECRET must be set in production. Without a shared secret, OAuth callbacks will fail across load-balanced instances.',
+        );
+      }
+      console.warn(
+        '[StatelessStateStore] INFRA.SESSION_SECRET not set; using ephemeral fallback. OAuth will fail in any multi-instance deployment.',
+      );
+    }
+    this.secret = secret || FALLBACK_SECRET;
+    this.maxAgeMs = maxAgeMs;
+    this.cookieName = cookieName || DEFAULT_COOKIE_NAME;
+    this.secureCookies = secureCookies ?? false;
+  }
+
+  /**
+   * Called by passport before redirecting to the OAuth provider.
+   *
+   * passport-oauth2 dispatches by `.length`:
+   *   arity 5: store(req, verifier, state, meta, cb)  — PKCE flow
+   *   arity 4: store(req, state, meta, cb)             — standard flow
+   *   arity 3: store(req, meta, cb)                    — no state
+   *
+   * passport-openidconnect always calls with 5 args:
+   *   store(req, ctx, appState, meta, cb)
+   *
+   * We declare 5 params so `.length === 5` satisfies both libraries.
+   *
+   * The token payload stores both `ctx` (OIDC context / PKCE verifier) and
+   * `state` (the app state, e.g. { redirect_uri }) so that verify() can
+   * return them both correctly to each library's restore/loaded callback.
+   */
+  store(
+    req: any,
+    ctxOrState: any,
+    stateOrMeta: any,
+    metaOrCb: any,
+    cb?: Function,
+  ): void {
+    let ctx: any;
+    let state: any;
+    let callback: Function;
+
+    if (typeof cb === 'function') {
+      // 5-arg: (req, verifier/ctx, state, meta, cb)
+      // For passport-oauth2 PKCE: verifier is a string, state is the app state
+      // For passport-openidconnect: ctx has { maxAge, nonce, issued }, state is app state
+      ctx = ctxOrState;
+      state = stateOrMeta;
+      callback = cb;
+    } else if (typeof metaOrCb === 'function') {
+      // 4-arg: (req, state, meta, cb)
+      ctx = undefined;
+      state = ctxOrState;
+      callback = metaOrCb;
+    } else if (typeof stateOrMeta === 'function') {
+      // 3-arg: (req, meta, cb)
+      ctx = undefined;
+      state = {};
+      callback = stateOrMeta;
+    } else {
+      throw new Error('StatelessStateStore.store: invalid arguments');
+    }
+
+    try {
+      // Generate a browser-bound nonce for CSRF protection
+      const nonce = crypto.randomBytes(16).toString('hex');
+
+      const payload: any = {
+        state: state,
+        exp: Date.now() + this.maxAgeMs,
+        nonce: nonce,
+      };
+      // Store ctx only if defined (OIDC context or PKCE verifier)
+      if (ctx !== undefined && ctx !== null) {
+        payload.ctx = ctx;
+      }
+
+      const serialized = JSON.stringify(payload);
+      if (Buffer.byteLength(serialized) > MAX_PAYLOAD_BYTES) {
+        return callback(
+          new Error('OAuth state payload exceeds maximum allowed size'),
+        );
+      }
+
+      const encoded = this.encode(payload);
+
+      // Set the nonce as a SameSite cookie to bind the OAuth flow to this browser
+      if (req.res) {
+        req.res.cookie(this.cookieName, nonce, {
+          httpOnly: true,
+          sameSite: 'lax',
+          secure: this.secureCookies,
+          maxAge: this.maxAgeMs,
+          path: '/',
+        });
+      }
+
+      callback(null, encoded);
+    } catch (err) {
+      callback(err);
+    }
+  }
+
+  /**
+   * Called by passport on the callback to verify the state parameter.
+   *
+   * passport-oauth2 dispatches by `.length`:
+   *   arity 4: verify(req, state, meta, cb)
+   *   arity 3: verify(req, state, cb)
+   *
+   * passport-openidconnect always calls with 3 args:
+   *   verify(req, handle, cb) → restored(err, ctx, state)
+   *
+   * We declare 3 params (matching both) since passport-oauth2 will dispatch
+   * to arity 3 when `.length === 3`.
+   *
+   * Return semantics (second arg → third arg of cb):
+   *   passport-oauth2:          cb(null, ok:truthy|string, appState)
+   *   passport-openidconnect:   cb(null, ctx:{maxAge,nonce,issued}, appState)
+   *
+   * We return the stored ctx (or `true` when ctx was not stored) as the
+   * second arg, and the app state as the third arg. This satisfies both:
+   *   - passport-oauth2 just needs truthy (or a PKCE verifier string)
+   *   - passport-openidconnect needs the OIDC context object
+   */
+  verify(req: any, providedState: string, cb: Function): void {
+    try {
+      // Read the browser-bound nonce from the cookie
+      const cookieNonce = req.cookies?.[this.cookieName];
+
+      // Clear the nonce cookie regardless of outcome
+      if (req.res) {
+        req.res.clearCookie(this.cookieName, { path: '/' });
+      }
+
+      if (!cookieNonce) {
+        return cb(null, false, { message: 'Missing OAuth nonce cookie' });
+      }
+
+      const payload = this.decode(providedState, cookieNonce);
+      if (!payload) {
+        return cb(null, false, { message: 'Invalid state signature' });
+      }
+
+      if (payload.exp && Date.now() > payload.exp) {
+        return cb(null, false, { message: 'State has expired' });
+      }
+
+      // Return ctx (OIDC context or PKCE verifier) as second arg,
+      // falling back to `true` for plain OAuth2 flows without ctx.
+      // Return the app state (e.g. { redirect_uri }) as third arg.
+      const ctx = payload.ctx !== undefined ? payload.ctx : true;
+      cb(null, ctx, payload.state);
+    } catch (err) {
+      cb(err);
+    }
+  }
+
+  /**
+   * Decode and verify a signed state token.
+   * Returns null if the token is missing, malformed, or the signature is invalid.
+   */
+  private decode(token: string, nonce?: string): any | null {
+    try {
+      if (!token) return null;
+
+      const dotIndex = token.indexOf('.');
+      if (dotIndex === -1) return null;
+
+      const payloadStr = token.substring(0, dotIndex);
+      const signature = token.substring(dotIndex + 1);
+
+      const expectedSignature = this.sign(payloadStr, nonce);
+
+      if (
+        signature.length !== expectedSignature.length ||
+        !crypto.timingSafeEqual(
+          Buffer.from(signature),
+          Buffer.from(expectedSignature),
+        )
+      ) {
+        return null;
+      }
+
+      return JSON.parse(Buffer.from(payloadStr, 'base64url').toString());
+    } catch {
+      return null;
+    }
+  }
+
+  private encode(payload: any): string {
+    const payloadStr = Buffer.from(JSON.stringify(payload)).toString(
+      'base64url',
+    );
+    const signature = this.sign(payloadStr, payload.nonce);
+    return `${payloadStr}.${signature}`;
+  }
+
+  private sign(data: string, nonce?: string): string {
+    const hmac = crypto.createHmac('sha256', this.secret);
+    hmac.update(data);
+    if (nonce) {
+      hmac.update(nonce);
+    }
+    return hmac.digest('base64url');
+  }
+}
--- a/packages/hoppscotch-backend/src/auth/strategies/github.strategy.ts
+++ b/packages/hoppscotch-backend/src/auth/strategies/github.strategy.ts
@ -8,6 +8,7 @@ import * as E from 'fp-ts/Either';
 import { ConfigService } from '@nestjs/config';
 import { validateEmail } from 'src/utils';
 import { AUTH_EMAIL_NOT_PROVIDED_BY_OAUTH } from 'src/errors';
+import { StatelessStateStore } from '../stateless-state-store';

@Injectable()
 export class GithubStrategy extends PassportStrategy(Strategy) {
@ -21,7 +22,13 @@ export class GithubStrategy extends PassportStrategy(Strategy) {
      clientSecret: configService.get<string>('INFRA.GITHUB_CLIENT_SECRET'),
      callbackURL: configService.get<string>('INFRA.GITHUB_CALLBACK_URL'),
      scope: [configService.get<string>('INFRA.GITHUB_SCOPE')],
-      store: true,
+      store: new StatelessStateStore(
+        configService.get<string>('INFRA.SESSION_SECRET'),
+        undefined,
+        (configService.get<string>('INFRA.SESSION_COOKIE_NAME') ||
+          '__oauth_nonce') + '_github',
+        configService.get<string>('INFRA.ALLOW_SECURE_COOKIES') === 'true',
+      ),
    });
  }

--- a/packages/hoppscotch-backend/src/auth/strategies/google.strategy.ts
+++ b/packages/hoppscotch-backend/src/auth/strategies/google.strategy.ts
@ -9,6 +9,7 @@ import { ConfigService } from '@nestjs/config';
 import { Request } from 'express';
 import { validateEmail } from 'src/utils';
 import { AUTH_EMAIL_NOT_PROVIDED_BY_OAUTH } from 'src/errors';
+import { StatelessStateStore } from '../stateless-state-store';

@Injectable()
 export class GoogleStrategy extends PassportStrategy(Strategy) {
@ -23,7 +24,13 @@ export class GoogleStrategy extends PassportStrategy(Strategy) {
      callbackURL: configService.get<string>('INFRA.GOOGLE_CALLBACK_URL'),
      scope: configService.get<string>('INFRA.GOOGLE_SCOPE').split(','),
      passReqToCallback: true,
-      store: true,
+      store: new StatelessStateStore(
+        configService.get<string>('INFRA.SESSION_SECRET'),
+        undefined,
+        (configService.get<string>('INFRA.SESSION_COOKIE_NAME') ||
+          '__oauth_nonce') + '_google',
+        configService.get<string>('INFRA.ALLOW_SECURE_COOKIES') === 'true',
+      ),
    });
  }

--- a/packages/hoppscotch-backend/src/auth/strategies/microsoft.strategy.ts
+++ b/packages/hoppscotch-backend/src/auth/strategies/microsoft.strategy.ts
@ -8,6 +8,7 @@ import * as E from 'fp-ts/Either';
 import { ConfigService } from '@nestjs/config';
 import { validateEmail } from 'src/utils';
 import { AUTH_EMAIL_NOT_PROVIDED_BY_OAUTH } from 'src/errors';
+import { StatelessStateStore } from '../stateless-state-store';

@Injectable()
 export class MicrosoftStrategy extends PassportStrategy(Strategy) {
@ -22,7 +23,13 @@ export class MicrosoftStrategy extends PassportStrategy(Strategy) {
      callbackURL: configService.get<string>('INFRA.MICROSOFT_CALLBACK_URL'),
      scope: configService.get<string>('INFRA.MICROSOFT_SCOPE').split(','),
      tenant: configService.get<string>('INFRA.MICROSOFT_TENANT'),
-      store: true,
+      store: new StatelessStateStore(
+        configService.get<string>('INFRA.SESSION_SECRET'),
+        undefined,
+        (configService.get<string>('INFRA.SESSION_COOKIE_NAME') ||
+          '__oauth_nonce') + '_microsoft',
+        configService.get<string>('INFRA.ALLOW_SECURE_COOKIES') === 'true',
+      ),
    });
  }

--- a/packages/hoppscotch-backend/src/main.ts
+++ b/packages/hoppscotch-backend/src/main.ts
@ -3,9 +3,7 @@ import { json } from 'express';
 import { AppModule } from './app.module';
 import cookieParser from 'cookie-parser';
 import { ValidationPipe, VersioningType } from '@nestjs/common';
-import session from 'express-session';
 import { emitGQLSchemaFile } from './gql-schema';
-import * as crypto from 'crypto';
 import morgan from 'morgan';
 import { ConfigService } from '@nestjs/config';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
@ -50,21 +48,6 @@ async function bootstrap() {
  console.log(`Running in production: ${isProduction}`);
  console.log(`Port: ${configService.get('PORT')}`);

-  app.use(
-    session({
-      // Allow overriding the default cookie name 'connect.sid' (which contains a dot).
-      // Some proxies/load balancers (like older Kong versions) cannot hash cookie names with dots,
-      // so we allow setting an alternative name via the INFRA.SESSION_COOKIE_NAME configuration.
-      name:
-        configService.get<string>('INFRA.SESSION_COOKIE_NAME') || 'connect.sid',
-      secret:
-        configService.get<string>('INFRA.SESSION_SECRET') ||
-        crypto.randomBytes(16).toString('hex'),
-      resave: false,
-      saveUninitialized: false,
-    }),
-  );
-
  // Increase file upload limit to 100MB
  app.use(
    json({
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -258,9 +258,6 @@ importers:
      express:
        specifier: 5.2.1
        version: 5.2.1
-      express-session:
-        specifier: 1.19.0
-        version: 1.19.0
      fp-ts:
        specifier: 2.16.11
        version: 2.16.11
@ -6818,9 +6815,6 @@ packages:
  cookie-signature@1.0.6:
    resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==}

-  cookie-signature@1.0.7:
-    resolution: {integrity: sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==}
-
  cookie-signature@1.2.2:
    resolution: {integrity: sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==}
    engines: {node: '>=6.6.0'}
@ -7761,10 +7755,6 @@ packages:
    resolution: {integrity: sha512-1zQrciTiQfRdo7qJM1uG4navm8DayFa2TgCSRlzUyNkhcJ6XUZF3hjnpkyr3VhAqPH7i/9GkG7Tv5abz6fqz0Q==}
    engines: {node: ^18.14.0 || ^20.0.0 || ^22.0.0 || >=24.0.0}

-  express-session@1.19.0:
-    resolution: {integrity: sha512-0csaMkGq+vaiZTmSMMGkfdCOabYv192VbytFypcvI0MANrp+4i/7yEkJ0sbAEhycQjntaKGzYfjfXQyVb7BHMA==}
-    engines: {node: '>= 0.8.0'}
-
  express@5.2.1:
    resolution: {integrity: sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==}
    engines: {node: '>= 18'}
@ -10716,10 +10706,6 @@ packages:
  ramda@0.27.2:
    resolution: {integrity: sha512-SbiLPU40JuJniHexQSAgad32hfwd+DRUdwF2PlVuI5RZD0/vahUco7R8vD86J/tcEKKF9vZrUVwgtmGCqlCKyA==}

-  random-bytes@1.0.0:
-    resolution: {integrity: sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==}
-    engines: {node: '>= 0.8'}
-
  randombytes@2.1.0:
    resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}

@ -11838,10 +11824,6 @@ packages:
    engines: {node: '>=0.8.0'}
    hasBin: true

-  uid-safe@2.1.5:
-    resolution: {integrity: sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==}
-    engines: {node: '>= 0.8'}
-
  uid2@0.0.4:
    resolution: {integrity: sha512-IevTus0SbGwQzYh3+fRsAMTVVPOoIVufzacXcHPmdlle1jUpq7BRL+mw3dgeLanvGZdwwbWhRV6XrcFNdBmjWA==}

@ -18833,8 +18815,6 @@ snapshots:

  cookie-signature@1.0.6: {}

-  cookie-signature@1.0.7: {}
-
  cookie-signature@1.2.2: {}

  cookie@0.7.2: {}
@ -19938,19 +19918,6 @@ snapshots:
      jest-mock: 30.3.0
      jest-util: 30.3.0

-  express-session@1.19.0:
-    dependencies:
-      cookie: 0.7.2
-      cookie-signature: 1.0.7
-      debug: 2.6.9
-      depd: 2.0.0
-      on-headers: 1.1.0
-      parseurl: 1.3.3
-      safe-buffer: 5.2.1
-      uid-safe: 2.1.5
-    transitivePeerDependencies:
-      - supports-color
-
  express@5.2.1:
    dependencies:
      accepts: 2.0.0
@ -23647,8 +23614,6 @@ snapshots:

  ramda@0.27.2: {}

-  random-bytes@1.0.0: {}
-
  randombytes@2.1.0:
    dependencies:
      safe-buffer: 5.2.1
@ -25016,10 +24981,6 @@ snapshots:
  uglify-js@3.19.3:
    optional: true

-  uid-safe@2.1.5:
-    dependencies:
-      random-bytes: 1.0.0
-
  uid2@0.0.4: {}

  uid@2.0.2: