From 073d998d6257a8ac8c3fed4b7b6ddc1a94d9fcb1 Mon Sep 17 00:00:00 2001
From: Abhinav Kumar <15830206+abhinavkrin@users.noreply.github.com>
Date: Sun, 13 Jun 2021 01:35:28 +0530
Subject: [PATCH] security -> origin matching

---
 README.md                |  5 +++++
 firebase.json            |  8 +++++++-
 functions/.eslintrc.json |  2 +-
 functions/.gitignore     |  1 +
 functions/index.js       | 10 ++++++++++
 functions/package.json   |  2 +-
 6 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 functions/.gitignore

diff --git a/README.md b/README.md
index 997affd..502479c 100644
--- a/README.md
+++ b/README.md
@@ -43,6 +43,11 @@ oauth.authorize_path=/oauth/authorize
 oauth.token_path=/oauth/token
 ```
 
+For security reasons set an origin_pattern to match the origins, so that only trusted origins could be use to authenticate. Replace yoursite.com with your domain.
+```
+firebase functions:config:set oauth.origin_pattern="(^https://yoursite.com$|^https://www.yoursite.com$|^http://localhost:3000$)"
+```
+
 ### 4) Deploy the function
 Deploy the function to Firebase:
 ```
diff --git a/firebase.json b/firebase.json
index 0967ef4..a68a195 100644
--- a/firebase.json
+++ b/firebase.json
@@ -1 +1,7 @@
-{}
+{
+  "functions": {
+    "predeploy": [
+      "npm --prefix \"$RESOURCE_DIR\" run lint"
+    ]
+  }
+}
diff --git a/functions/.eslintrc.json b/functions/.eslintrc.json
index 3e91886..ea4352b 100644
--- a/functions/.eslintrc.json
+++ b/functions/.eslintrc.json
@@ -1,7 +1,7 @@
 {
   "parserOptions": {
     // Required for certain syntax usages
-    "ecmaVersion": 6
+    "ecmaVersion": 8
   },
   "plugins": [
     "promise"
diff --git a/functions/.gitignore b/functions/.gitignore
new file mode 100644
index 0000000..40b878d
--- /dev/null
+++ b/functions/.gitignore
@@ -0,0 +1 @@
+node_modules/
\ No newline at end of file
diff --git a/functions/index.js b/functions/index.js
index bcbe89d..15d5612 100644
--- a/functions/index.js
+++ b/functions/index.js
@@ -11,6 +11,11 @@ function getScript(mess, content) {
   (function() {
     function receiveMessage(e) {
       console.log("receiveMessage %o", e)
+      if (!e.origin.match(${JSON.stringify(oauth.origin_pattern,"i")})) {
+          console.log('Invalid origin: %s', e.origin);
+          window.close();
+          return;
+        }
       window.opener.postMessage(
         'authorization:github:${mess}:${JSON.stringify(content)}',
         e.origin
@@ -49,6 +54,10 @@ oauthApp.get('/auth', (req, res) => {
 })
 
 oauthApp.get('/callback', async (req, res) => {
+  if(''.match(oauth.origin_pattern || '')){
+    console.error("Insecure ORIGIN pattern used. This can give unauthorized users access to your repository.");
+    process.exit();
+  }
   var options = {
     code: req.query.code
   }
@@ -73,6 +82,7 @@ oauthApp.get('/callback', async (req, res) => {
     console.error('Access Token Error', error.message)
     res.send(getScript('error', error))
   }
+  return 'Error';
 })
 
 oauthApp.get('/success', (req, res) => {
diff --git a/functions/package.json b/functions/package.json
index 0056d49..8cd96b5 100644
--- a/functions/package.json
+++ b/functions/package.json
@@ -2,7 +2,7 @@
   "name": "functions",
   "description": "Cloud Functions for Firebase",
   "engines": {
-    "node": "10"
+    "node": "12"
   },
   "scripts": {
     "lint": "eslint .",