Skip to content

fix: harden browser login callbacks#708

Draft
desimone wants to merge 1 commit into
mainfrom
bdd/eng-4238-harden-browser-login-callbacks
Draft

fix: harden browser login callbacks#708
desimone wants to merge 1 commit into
mainfrom
bdd/eng-4238-harden-browser-login-callbacks

Conversation

@desimone

@desimone desimone commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

What

This hardens the loopback callback used by interactive browser login. Each login now creates a random, single-use callback path and accepts only the issued host, path, GET method, and one non-empty pomerium_jwt query value.

The callback server also sets a five-second read-header timeout. The client overrides any caller-provided redirect URI with its own callback address and clones caller-owned parameters before making that change. The included workflow fix quotes writes to GITHUB_PATH so paths containing whitespace work.

Why

Previously, the callback accepted the first credential-bearing request on a predictable loopback endpoint, including broader methods and request shapes. Another local process or a cross-origin form could inject a credential into an interactive login. A caller could also direct the resulting credential to a different redirect URI.

Review notes

Invalid requests do not consume the valid callback and never reflect the credential. GetBrowserJWT stays explicitly interactive; GetJWT preserves its service-account precedence.

Testing

go test -race ./authclient
make build
make test
make lint

The focused race suite covers hostile redirect URIs, concurrent callbacks, invalid request shapes, and caller-map non-mutation. A known unrelated race in cmd/pomerium-cli exists on clean main; it is outside this diff.

Related issue

AI assistance

Codex assisted with implementation and test authoring. Claude performed adversarial review of callback handling. Bobby defined the security requirements.

Refs: ENG-4238

Accept a credential only on the random callback created for this login and
reject redirect overrides. Bound incomplete headers and quote CI path exports.
@desimone desimone requested a review from a team as a code owner July 11, 2026 17:21
@desimone desimone requested a review from calebdoxsey July 11, 2026 17:21
@desimone desimone marked this pull request as draft July 11, 2026 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant