Skip to content

fix(auth): validate origin of oauth callback to prevent login csrf#1093

Merged
Spiral-Memory merged 1 commit intoRocketChat:developfrom
deepak0x:fix/oauth-origin-validation
Mar 21, 2026
Merged

fix(auth): validate origin of oauth callback to prevent login csrf#1093
Spiral-Memory merged 1 commit intoRocketChat:developfrom
deepak0x:fix/oauth-origin-validation

Conversation

@deepak0x
Copy link
Copy Markdown
Contributor

@deepak0x deepak0x commented Jan 21, 2026
edited
Loading

This pull request fixes a critical security vulnerability in the OAuth login flow where the application accepted OAuth callback messages from any origin.

Previously, the postMessage event listener in loginWithRocketChatOAuth did not validate the origin of incoming messages. This allowed malicious websites to forge OAuth callbacks and potentially force users to log in with attacker-controlled accounts.

Closes #1071

Fix

  • Added validation to ensure event.origin matches the trusted Rocket.Chat server origin
  • The expected origin is derived from config.api.baseUrl
  • Messages from untrusted origins are ignored

Only messages from the configured Rocket.Chat server are now accepted.

Spiral-Memory
Spiral-Memory approved these changes Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Spiral-Memory Spiral-Memory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Spiral-Memory
Copy link
Copy Markdown
Collaborator

Spiral-Memory commented Mar 13, 2026

Could you create a video demonstrating that the functionality continues to operate as intended?

@Spiral-Memory Spiral-Memory added chore a subtle fix nudge minor tweaks suggested testing labels Mar 13, 2026
@deepak0x
Copy link
Copy Markdown
Contributor Author

deepak0x commented Mar 13, 2026

Sure @Spiral-Memory ;)

@deepak0x
Copy link
Copy Markdown
Contributor Author

deepak0x commented Mar 16, 2026
edited
Loading

hi @Spiral-Memory i attached the video... let me know if you want anything else too
https://github.com/user-attachments/assets/e4dfcc43-b8cd-4119-864f-abce96990886

@Spiral-Memory Spiral-Memory removed nudge minor tweaks suggested testing labels Mar 21, 2026
@Spiral-Memory Spiral-Memory merged commit 37896cb into RocketChat:develop Mar 21, 2026
4 checks passed
github-actions bot added a commit that referenced this pull request Mar 21, 2026
@github-actions
Remove deployment for PR #1093
520eafb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Spiral-Memory Spiral-Memory Spiral-Memory approved these changes

Assignees

No one assigned

Labels

chore a subtle fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing Origin Validation in OAuth Callback (Login CSRF)

2 participants

@deepak0x @Spiral-Memory