fix: Authentication provider credentials are usable across Parse Server apps; fixes security vulnerability [GHSA-837q-jhwx-cmpv](https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv) (#9667)

src/Adapters/Auth/github.js

@@ -1,35 +1,127 @@
-// Helper functions for accessing the github API.
-var Parse = require('parse/node').Parse;
-const httpsRequest = require('./httpsRequest');
+/**
+ * Parse Server authentication adapter for GitHub.
+ * @class GitHubAdapter
+ * @param {Object} options - The adapter configuration options.
+ * @param {string} options.clientId - The GitHub App Client ID. Required for secure authentication.
+ * @param {string} options.clientSecret - The GitHub App Client Secret. Required for secure authentication.
+ * @param {boolean} [options.enableInsecureAuth=false] - **[DEPRECATED]** Enable insecure authentication (not recommended).
+ *
+ * @param {Object} authData - The authentication data provided by the client.
+ * @param {string} authData.code - The authorization code from GitHub. Required for secure authentication.
+ * @param {string} [authData.id] - **[DEPRECATED]** The GitHub user ID (required for insecure authentication).
+ * @param {string} [authData.access_token] - **[DEPRECATED]** The GitHub access token (required for insecure authentication).
+ *
+ * @description
+ * ## Parse Server Configuration
+ * * To configure Parse Server for GitHub authentication, use the following structure:
+ * ```json
+ * {
+ *  "auth": {
+ *   "github": {
+ *     "clientId": "12345",
+ *     "clientSecret": "abcde"
+ *   }
+ * }
+ * ```
+ *
+ * The GitHub adapter exchanges the `authData.code` provided by the client for an access token using GitHub's OAuth API. The following `authData` field is required:
+ * - `code`
+ *
+ * ## Insecure Authentication (Not Recommended)
+ * Insecure authentication uses the `authData.id` and `authData.access_token` provided by the client. This flow is insecure, deprecated, and poses potential security risks. The following `authData` fields are required:
+ * - `id` (**[DEPRECATED]**): The GitHub user ID.
+ * - `access_token` (**[DEPRECATED]**): The GitHub access token.
+ * To configure Parse Server for insecure authentication, use the following structure:
+ * ```json
+ * {
+ *  "auth": {
+ *    "github": {
+ *    "enableInsecureAuth": true
+ *  }
+ * }
+ * ```
+ *
+ * ### Deprecation Notice
+ * The `enableInsecureAuth` option and insecure `authData` fields (`id`, `access_token`) are deprecated and will be removed in future versions. Use secure authentication with `clientId` and `clientSecret`.
+ *
+ * @example <caption>Secure Authentication Example</caption>
+ * // Example authData for secure authentication:
+ * const authData = {
+ *   github: {
+ *     code: "abc123def456ghi789"
+ *   }
+ * };
+ *
+ * @example <caption>Insecure Authentication Example (Not Recommended)</caption>
+ * // Example authData for insecure authentication:
+ * const authData = {
+ *   github: {
+ *     id: "1234567",
+ *     access_token: "abc123def456ghi789" // Deprecated.
+ *   }
+ * };
+ *
+ * @note `enableInsecureAuth` will be removed in future versions. Use secure authentication with `clientId` and `clientSecret`.
+ * @note Secure authentication exchanges the `code` provided by the client for an access token using GitHub's OAuth API.
+ *
+ * @see {@link https://docs.github.com/en/developers/apps/authorizing-oauth-apps GitHub OAuth Documentation}
+ */
 
-// Returns a promise that fulfills iff this user id is valid.
-function validateAuthData(authData) {
-  return request('user', authData.access_token).then(data => {
-    if (data && data.id == authData.id) {
-      return;
+import BaseCodeAuthAdapter from './BaseCodeAuthAdapter';
+class GitHubAdapter extends BaseCodeAuthAdapter {
+  constructor() {
+    super('GitHub');
+  }
+  async getAccessTokenFromCode(authData) {
+    const tokenUrl = 'https://github.com/login/oauth/access_token';
+    const response = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+      },
+      body: JSON.stringify({
+        client_id: this.clientId,
+        client_secret: this.clientSecret,
+        code: authData.code,
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Parse.Error(Parse.Error.VALIDATION_ERROR, `Failed to exchange code for token: ${response.statusText}`);
     }
-    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Github auth is invalid for this user.');
-  });
+
+    const data = await response.json();
+    if (data.error) {
+      throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, data.error_description || data.error);
+    }
+
+    return data.access_token;
+  }
+
+  async getUserFromAccessToken(accessToken) {
+    const userApiUrl = 'https://api.github.com/user';
+    const response = await fetch(userApiUrl, {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/json',
+      },
+    });
+
+    if (!response.ok) {
+      throw new Parse.Error(Parse.Error.VALIDATION_ERROR, `Failed to fetch GitHub user: ${response.statusText}`);
+    }
+
+    const userData = await response.json();
+    if (!userData.id || !userData.login) {
+      throw new Parse.Error(Parse.Error.VALIDATION_ERROR, 'Invalid GitHub user data received.');
+    }
+
+    return userData;
+  }
+
 }
 
-// Returns a promise that fulfills iff this app id is valid.
-function validateAppId() {
-  return Promise.resolve();
-}
+export default new GitHubAdapter();
 
-// A promisey wrapper for api requests
-function request(path, access_token) {
-  return httpsRequest.get({
-    host: 'api.github.com',
-    path: '/' + path,
-    headers: {
-      Authorization: 'bearer ' + access_token,
-      'User-Agent': 'parse-server',
-    },
-  });
-}
-
-module.exports = {
-  validateAppId: validateAppId,
-  validateAuthData: validateAuthData,
-};