fix: Authentication provider credentials are usable across Parse Server apps; fixes security vulnerability [GHSA-837q-jhwx-cmpv](https://github.com/parse-community/parse-server/security/advisories/GHSA-837q-jhwx-cmpv) (#9667)

2025-03-21 10:49:09 +01:00
parent c56b2c49b2
commit 5ef0440c8e
59 changed files with 5987 additions and 1680 deletions
--- a/src/Adapters/Auth/line.js
+++ b/src/Adapters/Auth/line.js
@@ -1,36 +1,143 @@
-// Helper functions for accessing the line API.
-var Parse = require('parse/node').Parse;
-const httpsRequest = require('./httpsRequest');
+/**
+ * Parse Server authentication adapter for Line.
+ *
+ * @class LineAdapter
+ * @param {Object} options - The adapter configuration options.
+ * @param {string} options.clientId - Your Line App Client ID. Required for secure authentication.
+ * @param {string} options.clientSecret - Your Line App Client Secret. Required for secure authentication.
+ * @param {boolean} [options.enableInsecureAuth=false] - **[DEPRECATED]** Enable insecure authentication (not recommended).
+ *
+ * @description
+ * ## Parse Server Configuration
+ * To configure Parse Server for Line authentication, use the following structure:
+ * ### Secure Configuration
+ * ```json
+ * {
+ *   "auth": {
+ *     "line": {
+ *       "clientId": "your-client-id",
+ *       "clientSecret": "your-client-secret"
+ *     }
+ *   }
+ * }
+ * ```
+ * ### Insecure Configuration (Not Recommended)
+ * ```json
+ * {
+ *   "auth": {
+ *     "line": {
+ *       "enableInsecureAuth": true
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * The adapter requires the following `authData` fields:
+ * - **Secure Authentication**: `code`, `redirect_uri`.
+ * - **Insecure Authentication (Not Recommended)**: `id`, `access_token`.
+ *
+ * ## Auth Payloads
+ * ### Secure Authentication Payload
+ * ```json
+ * {
+ *   "line": {
+ *     "code": "xxxxxxxxx",
+ *     "redirect_uri": "https://example.com/callback"
+ *   }
+ * }
+ * ```
+ *
+ * ### Insecure Authentication Payload (Not Recommended)
+ * ```json
+ * {
+ *   "line": {
+ *     "id": "1234567",
+ *     "access_token": "xxxxxxxxx"
+ *   }
+ * }
+ * ```
+ *
+ * ## Notes
+ * - `enableInsecureAuth` is **not recommended** and will be removed in future versions. Use secure authentication with `clientId` and `clientSecret`.
+ * - Secure authentication exchanges the `code` and `redirect_uri` provided by the client for an access token using Line's OAuth flow.
+ *
+ * @see {@link https://developers.line.biz/en/docs/line-login/integrate-line-login/ Line Login Documentation}
+ */

-// Returns a promise that fulfills if this user id is valid.
-function validateAuthData(authData) {
-  return request('profile', authData.access_token).then(response => {
-    if (response && response.userId && response.userId === authData.id) {
-      return;
+import BaseCodeAuthAdapter from './BaseCodeAuthAdapter';
+
+class LineAdapter extends BaseCodeAuthAdapter {
+  constructor() {
+    super('Line');
+  }
+
+  async getAccessTokenFromCode(authData) {
+    if (!authData.code) {
+      throw new Parse.Error(
+        Parse.Error.OBJECT_NOT_FOUND,
+        'Line auth is invalid for this user.'
+      );
    }
-    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Line auth is invalid for this user.');
-  });
+
+    const tokenUrl = 'https://api.line.me/oauth2/v2.1/token';
+    const response = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        client_id: this.clientId,
+        client_secret: this.clientSecret,
+        grant_type: 'authorization_code',
+        redirect_uri: authData.redirect_uri,
+        code: authData.code,
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Parse.Error(
+        Parse.Error.OBJECT_NOT_FOUND,
+        `Failed to exchange code for token: ${response.statusText}`
+      );
+    }
+
+    const data = await response.json();
+    if (data.error) {
+      throw new Parse.Error(
+        Parse.Error.OBJECT_NOT_FOUND,
+        data.error_description || data.error
+      );
+    }
+
+    return data.access_token;
+  }
+
+  async getUserFromAccessToken(accessToken) {
+    const userApiUrl = 'https://api.line.me/v2/profile';
+    const response = await fetch(userApiUrl, {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    });
+
+    if (!response.ok) {
+      throw new Parse.Error(
+        Parse.Error.OBJECT_NOT_FOUND,
+        `Failed to fetch Line user: ${response.statusText}`
+      );
+    }
+
+    const userData = await response.json();
+    if (!userData?.userId) {
+      throw new Parse.Error(
+        Parse.Error.VALIDATION_ERROR,
+        'Invalid Line user data received.'
+      );
+    }
+
+    return userData;
+  }
 }

-// Returns a promise that fulfills iff this app id is valid.
-function validateAppId() {
-  return Promise.resolve();
-}
-
-// A promisey wrapper for api requests
-function request(path, access_token) {
-  var options = {
-    host: 'api.line.me',
-    path: '/v2/' + path,
-    method: 'GET',
-    headers: {
-      Authorization: 'Bearer ' + access_token,
-    },
-  };
-  return httpsRequest.get(options);
-}
-
-module.exports = {
-  validateAppId: validateAppId,
-  validateAuthData: validateAuthData,
-};
+export default new LineAdapter();