Fix OAuth login CSRF and PII leakage in auth initialization

[Copilot]

Two high-severity security issues in the authentication flow: the Google OAuth redirect lacked CSRF protection, and the user's email was logged to the console on every initialization.

OAuth state parameter (login CSRF) — AuthService.ts

The authenticateWithGoogle() method had no state parameter, leaving the redirect flow vulnerable to login CSRF. Added a cryptographically secure state alongside the existing nonce:

// Generate nonce + state from the same random pool
const array = new Uint32Array(8);
crypto.getRandomValues(array);
const nonce = Array.from(array.slice(0, 4), dec => dec.toString(36)).join('');
const state = Array.from(array.slice(4), dec => dec.toString(36)).join('');

// Persist before launching flow
await chrome.storage.session.set({ oauth_state: state });
authUrl.searchParams.set('state', state);

// In callback — verify before resolving
const expectedState: string | undefined = stored['oauth_state'];
if (!expectedState || !returnedState || returnedState !== expectedState) {
  reject('OAuth state mismatch — possible CSRF attack');
  return;
}

Stored state is cleared in both success and failure/cancellation paths. Error logging in the no-token branch now emits only the response URL origin, not the full URL (which may contain tokens).

PII in console log — NumbersApiManager.ts

Removed the user email from the initialization log:

// Before
console.log('Token validated successfully for user:', user.email);
// After
console.log('Token validated successfully');

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][High] OAuth CSRF vulnerability and PII exposure in auth initialization</issue_title>
<issue_description>## Summary

Two high-severity security findings in the authentication flow that are not covered by existing issues.

Finding 1: Missing OAuth state Parameter Enables Login CSRF

File: src/services/AuthService.ts (lines 92-104)

The authenticateWithGoogle() method constructs an OAuth authorization URL with a nonce parameter but does not include a state parameter. The OAuth 2.0 state parameter is the standard defense against CSRF attacks in the authorization redirect flow. While nonce protects against token replay at the OIDC layer, state protects the redirect flow itself.

Impact: An attacker could forge an authorization redirect to link their Google account to the victim's extension session (login CSRF). This is a distinct attack vector from token replay.

Suggested Fix:

const state = Array.from(crypto.getRandomValues(new Uint32Array(4)), dec => dec.toString(36)).join('');
// Store state before launching auth flow
await chrome.storage.session.set({ oauth_state: state });
authUrl.searchParams.set('state', state);
// In callback, verify: if (returnedState !== storedState) reject('State mismatch');

Finding 2: User Email (PII) Logged During Every Initialization

File: src/services/NumbersApiManager.ts (line 125)

The initialize() method logs: console.log('Token validated successfully for user:', user.email) on every initialization cycle. This leaks PII to anyone inspecting the console, extension debugging tools, or any crash/error reporting system that captures console output.

Impact: User email exposed in console logs in production. In shared environments or compromised machines, this provides direct PII exposure.

Note: This is distinct from issue #20 which covers verbose logging of message payloads. This finding is about PII (email) being logged during standard auth initialization — a production runtime concern.

Suggested Fix:
Remove the email from the log statement entirely, or redact it:

console.log('Token validated successfully');

References

• OWASP OAuth Security: https://cheatsheetseries.owasp.org/cheatsheets/OAuth2_Cheat_Sheet.html
• RFC 6749 Section 10.12 (CSRF Protection)</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][High] OAuth CSRF vulnerability and PII exposure in auth initialization #47

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.