Address pre-release security audit findings (all Critical + High)

Fixes all 4 Critical and 5 High findings, plus 5 of 6 Medium and all 3
Low findings from the pre-release security audit.

Critical:
- [#1] State validation is now unconditional; missing state throws
  StateMismatch, closing the CSRF / authorization code injection vector
- [#2] Public IDmeAuth constructor now requires Context and defaults to
  EncryptedCredentialStore; CredentialStore demoted to internal
- [#3] JWKSClient cache fields are @volatile and all access is serialised
  through a Mutex, eliminating the race condition
- [#4] policies() sends credentials via HTTP Basic Auth header instead of
  GET query parameter, keeping the client secret out of server logs

High:
- [#5] Demo network_security_config.xml removes user-cert trust and sets
  cleartextTrafficPermitted=false
- [#6] iss and aud JWT claims are now mandatory; tokens that omit either
  throw JWTClaimInvalid instead of silently passing
- [#7] JWTValidator validates nbf with 30-second clock skew tolerance and
  applies the same skew window to exp
- [#8] IDmeAuthManager replaces the single CompletableDeferred with a
  ConcurrentHashMap keyed by state; IDmeAuth passes state as sessionId
  so callbacks cannot be routed to the wrong flow
- [#9] extractJSON is now suspend and calls JWTValidator before decoding,
  ensuring userinfo JWT signatures are verified before claims are exposed

Medium:
- [#10] Log.isEnabled flag (default false) gates all SDK log output to
  prevent credential leakage in release builds
- [#11] Redirect URI validation rejects http/https/javascript/file/data
  schemes in IDmeAuth, AuthorizationRequest, and GroupsRequest
- [#12] clearSync() cancels the refresh deferred before nulling state,
  reducing the window for concurrent-write races
- [#13] expiresIn is coerced to [0, 86400] seconds before multiplication,
  preventing integer-overflow-induced negative expiry timestamps
- [#14] AuthViewModel extends AndroidViewModel (provides Context to
  IDmeAuth); clientSecret is only forwarded in OAUTH mode

Low:
- [#15] secure-pipeline-ast.yml pinned to immutable commit SHA instead
  of mutable @master ref
- [#17] Demo release build enables minification
- [#18] Base64URL.decode() throws IDmeAuthError.InvalidJWT on failure
  instead of returning null; JWTDecoder call sites cleaned up accordingly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: antspriggs

.github/workflows/secure-pipeline-ast.yml

@@ -14,5 +14,5 @@ on:
 
 jobs:
   execute:
-    uses: IDme/workflow-library/.github/workflows/secure-pipeline-ast.yml@master
+    uses: IDme/workflow-library/.github/workflows/secure-pipeline-ast.yml@7a259bb101fd4f20d7cd0137c1f99e8d60af0859
     secrets: inherit

demo/build.gradle.kts

@@ -19,7 +19,7 @@ configure<BaseAppModuleExtension> {
 
     buildTypes {
         release {
-            isMinifyEnabled = false
+            isMinifyEnabled = true
             proguardFiles(
                 getDefaultProguardFile("proguard-android-optimize.txt"),
                 "proguard-rules.pro"

demo/src/main/kotlin/com/idme/auth/demo/AuthViewModel.kt

@@ -1,10 +1,11 @@
 package com.idme.auth.demo
 
 import android.app.Activity
+import android.app.Application
 import androidx.compose.runtime.getValue
 import androidx.compose.runtime.mutableStateOf
 import androidx.compose.runtime.setValue
-import androidx.lifecycle.ViewModel
+import androidx.lifecycle.AndroidViewModel
 import androidx.lifecycle.viewModelScope
 import com.idme.auth.IDmeAuth
 import com.idme.auth.configuration.IDmeAuthMode
@@ -17,7 +18,7 @@ import com.idme.auth.models.Credentials
 import com.idme.auth.models.Policy
 import kotlinx.coroutines.launch
 
-class AuthViewModel : ViewModel() {
+class AuthViewModel(application: Application) : AndroidViewModel(application) {
 
     // MARK: - Configuration Inputs
 
@@ -196,16 +197,20 @@ class AuthViewModel : ViewModel() {
             finalScopes.add(0, IDmeScope.OPENID)
         }
 
+        // Client secret is only applicable for server-side OAuth flows; never embed in PKCE or OIDC.
+        // TODO: Load credentials from local.properties via BuildConfig rather than hardcoding.
+        val secret = if (authMode == IDmeAuthMode.OAUTH) clientSecret else null
+
         val config = IDmeConfiguration(
             clientId = clientId,
             redirectURI = redirectURI,
             scopes = finalScopes,
             environment = environment,
             authMode = authMode,
             verificationType = verificationType,
-            clientSecret = clientSecret
+            clientSecret = secret
         )
 
-        return IDmeAuth(config)
+        return IDmeAuth(config, getApplication())
     }
 }

demo/src/main/res/xml/network_security_config.xml

@@ -1,9 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
-    <base-config>
+    <base-config cleartextTrafficPermitted="false">
         <trust-anchors>
             <certificates src="system" />
-            <certificates src="user" />
         </trust-anchors>
     </base-config>
 </network-security-config>

sdk/src/main/kotlin/com/idme/auth/IDmeAuth.kt

@@ -1,6 +1,7 @@
 package com.idme.auth
 
 import android.app.Activity
+import android.content.Context
 import android.net.Uri
 import com.idme.auth.auth.AuthorizationRequest
 import com.idme.auth.auth.GroupsRequest
@@ -13,6 +14,7 @@ import com.idme.auth.configuration.IDmeVerificationType
 import com.idme.auth.errors.IDmeAuthError
 import com.idme.auth.jwt.JWKSClient
 import com.idme.auth.jwt.JWKSFetching
+import com.idme.auth.jwt.JWTDecoder
 import com.idme.auth.jwt.JWTValidator
 import com.idme.auth.models.AttributeResponse
 import com.idme.auth.models.Credentials
@@ -21,7 +23,7 @@ import com.idme.auth.models.UserInfo
 import com.idme.auth.networking.APIEndpoint
 import com.idme.auth.networking.DefaultHTTPClient
 import com.idme.auth.networking.HTTPClient
-import com.idme.auth.storage.CredentialStore
+import com.idme.auth.storage.EncryptedCredentialStore
 import com.idme.auth.token.TokenManager
 import com.idme.auth.token.TokenRefresher
 import com.idme.auth.utilities.Log
@@ -31,7 +33,6 @@ import kotlinx.serialization.json.JsonPrimitive
 import kotlinx.serialization.json.jsonArray
 import kotlinx.serialization.json.jsonObject
 import kotlinx.serialization.json.jsonPrimitive
-import com.idme.auth.jwt.JWTDecoder
 
 /**
  * Main entry point for the IDmeAuthSDK.
@@ -45,7 +46,8 @@ import com.idme.auth.jwt.JWTDecoder
  *         redirectURI = "yourapp://idme/callback",
  *         scopes = listOf(IDmeScope.MILITARY),
  *         verificationType = IDmeVerificationType.SINGLE
- *     )
+ *     ),
+ *     context = applicationContext
  * )
  *
  * val credentials = idme.login(activity)
@@ -59,11 +61,11 @@ class IDmeAuth(
 ) {
     private var lastNonce: String? = null
 
-    /** Creates a new IDmeAuth instance with the given configuration. */
-    constructor(configuration: IDmeConfiguration) : this(
+    /** Creates a new IDmeAuth instance with the given configuration. Credentials are stored in EncryptedSharedPreferences. */
+    constructor(configuration: IDmeConfiguration, context: Context) : this(
         configuration = configuration,
         tokenManager = TokenManager(
-            credentialStore = CredentialStore(),
+            credentialStore = EncryptedCredentialStore(context),
             refresher = TokenRefresher(configuration, DefaultHTTPClient())
         ),
         httpClient = DefaultHTTPClient(),
@@ -109,7 +111,7 @@ class IDmeAuth(
 
         Log.info("Starting auth session: ${configuration.verificationType.value} mode")
 
-        val callbackURL = IDmeAuthManager.launchAuth(activity, authURL)
+        val callbackURL = IDmeAuthManager.launchAuth(activity, authURL, state)
 
         val code = extractAuthorizationCode(callbackURL, state)
 
@@ -147,21 +149,20 @@ class IDmeAuth(
     /**
      * Fetches the available verification policies for the organization.
      *
-     * Uses the client credentials (client_id and client_secret) to authenticate.
+     * Uses the client credentials (client_id and client_secret) to authenticate via HTTP Basic Auth.
      * The policy `handle` can be used as the OAuth `scope` parameter.
      *
      * @return A list of available policies.
      */
     suspend fun policies(): List<Policy> {
-        val baseUrl = APIEndpoint.policies(configuration.environment)
-        val url = "$baseUrl?client_id=${
-            java.net.URLEncoder.encode(configuration.clientId, "UTF-8")
-        }&client_secret=${
-            java.net.URLEncoder.encode(configuration.clientSecret ?: "", "UTF-8")
-        }"
+        val url = APIEndpoint.policies(configuration.environment)
+        val credentials = "${configuration.clientId}:${configuration.clientSecret ?: ""}"
+        val encoded = java.util.Base64.getEncoder()
+            .encodeToString(credentials.toByteArray(Charsets.UTF_8))
+        val headers = mapOf("Authorization" to "Basic $encoded")
 
         val response = try {
-            httpClient.get(url, mapOf())
+            httpClient.get(url, headers)
         } catch (e: IDmeAuthError) {
             throw e
         } catch (e: Exception) {
@@ -303,10 +304,16 @@ class IDmeAuth(
 
     // MARK: - Private
 
-    /** Extracts JSON data from a response that may be plain JSON or a JWT. */
-    private fun extractJSON(body: String): String {
+    /**
+     * Extracts JSON data from a response that may be plain JSON or a JWT.
+     * If the body is a JWT, the signature is verified before claims are extracted.
+     */
+    private suspend fun extractJSON(body: String): String {
         val trimmed = body.trim().trim('"')
         if (trimmed.startsWith("eyJ")) {
+            val issuer = "${configuration.environment.apiBaseURL}oidc"
+            val validator = JWTValidator(jwksFetcher, issuer, configuration.clientId)
+            validator.validate(trimmed, null)
             val decoded = JWTDecoder.decode(trimmed)
             return Json.encodeToString(JsonObject.serializer(), JsonObject(decoded.payload.mapValues { (_, v) ->
                 JsonPrimitive(v.toString())
@@ -337,7 +344,8 @@ class IDmeAuth(
             throw IDmeAuthError.GroupsNotAvailableInSandbox
         }
 
-        if (Uri.parse(configuration.redirectURI).scheme == null) {
+        val scheme = Uri.parse(configuration.redirectURI).scheme
+        if (scheme == null || scheme.lowercase() in DISALLOWED_REDIRECT_SCHEMES) {
             throw IDmeAuthError.InvalidRedirectURI
         }
     }
@@ -354,14 +362,19 @@ class IDmeAuth(
             throw IDmeAuthError.TokenExchangeFailed(0, description)
         }
 
-        // Validate state
+        // Validate state — mandatory; a missing state is treated as a CSRF/injection attempt
         val returnedState = uri.getQueryParameter("state")
-        if (returnedState != null && returnedState != expectedState) {
+            ?: throw IDmeAuthError.StateMismatch
+        if (returnedState != expectedState) {
             throw IDmeAuthError.StateMismatch
         }
 
         // Extract code
         return uri.getQueryParameter("code")
             ?: throw IDmeAuthError.MissingAuthorizationCode
     }
+
+    companion object {
+        private val DISALLOWED_REDIRECT_SCHEMES = setOf("http", "https", "javascript", "file", "data")
+    }
 }

sdk/src/main/kotlin/com/idme/auth/auth/AuthorizationRequest.kt

@@ -16,7 +16,8 @@ class AuthorizationRequest(configuration: IDmeConfiguration) {
     val pkce: PKCEGenerator?
 
     init {
-        if (android.net.Uri.parse(configuration.redirectURI).scheme == null) {
+        val uriScheme = android.net.Uri.parse(configuration.redirectURI).scheme
+        if (uriScheme == null || uriScheme.lowercase() in DISALLOWED_SCHEMES) {
             throw IDmeAuthError.InvalidRedirectURI
         }
 
@@ -57,4 +58,8 @@ class AuthorizationRequest(configuration: IDmeConfiguration) {
         }
         url = "$baseUrl?$queryString"
     }
+
+    companion object {
+        private val DISALLOWED_SCHEMES = setOf("http", "https", "javascript", "file", "data")
+    }
 }

sdk/src/main/kotlin/com/idme/auth/auth/GroupsRequest.kt

@@ -21,7 +21,8 @@ class GroupsRequest(configuration: IDmeConfiguration) {
             throw IDmeAuthError.GroupsNotAvailableInSandbox
         }
 
-        if (android.net.Uri.parse(configuration.redirectURI).scheme == null) {
+        val uriScheme = android.net.Uri.parse(configuration.redirectURI).scheme
+        if (uriScheme == null || uriScheme.lowercase() in DISALLOWED_SCHEMES) {
             throw IDmeAuthError.InvalidRedirectURI
         }
 
@@ -62,4 +63,8 @@ class GroupsRequest(configuration: IDmeConfiguration) {
         }
         url = "$baseUrl?$queryString"
     }
+
+    companion object {
+        private val DISALLOWED_SCHEMES = setOf("http", "https", "javascript", "file", "data")
+    }
 }

sdk/src/main/kotlin/com/idme/auth/auth/IDmeAuthManager.kt

@@ -4,35 +4,35 @@ import android.app.Activity
 import android.net.Uri
 import androidx.browser.customtabs.CustomTabsIntent
 import com.idme.auth.errors.IDmeAuthError
+import java.util.concurrent.ConcurrentHashMap
 import kotlinx.coroutines.CompletableDeferred
 
 /**
  * Singleton that manages the bridge between the Chrome Custom Tab auth flow
  * and the coroutine-based SDK API.
  *
  * Flow:
- * 1. [launchAuth] stores a [CompletableDeferred] and opens a Custom Tab.
+ * 1. [launchAuth] stores a [CompletableDeferred] keyed by the session's `state` value and opens a Custom Tab.
  * 2. The browser redirects to the app's scheme, which is caught by [IDmeRedirectActivity].
- * 3. [handleRedirect] completes the deferred with the callback URL.
+ * 3. [handleRedirect] extracts the `state` from the callback URL and routes the result to the
+ *    matching deferred, preventing cross-flow code injection.
  * 4. [launchAuth] resumes and returns the callback URL to the caller.
  */
 internal object IDmeAuthManager {
-    private var pendingAuth: CompletableDeferred<String>? = null
+    private val pending = ConcurrentHashMap<String, CompletableDeferred<String>>()
 
     /**
      * Launches the authentication flow in a Chrome Custom Tab and suspends
      * until the redirect is received.
      *
      * @param activity The Activity to launch from.
      * @param authUrl The authorization URL to open.
+     * @param sessionId The `state` value for this flow; used to route the callback to the correct coroutine.
      * @return The full callback URL string including query parameters.
      */
-    suspend fun launchAuth(activity: Activity, authUrl: String): String {
-        // Cancel any existing pending auth
-        pendingAuth?.cancel()
-
+    suspend fun launchAuth(activity: Activity, authUrl: String, sessionId: String): String {
         val deferred = CompletableDeferred<String>()
-        pendingAuth = deferred
+        pending[sessionId] = deferred
 
         val customTabsIntent = CustomTabsIntent.Builder()
             .setShowTitle(true)
@@ -45,17 +45,28 @@ internal object IDmeAuthManager {
         } catch (e: kotlinx.coroutines.CancellationException) {
             throw IDmeAuthError.UserCancelled
         } finally {
-            pendingAuth = null
+            pending.remove(sessionId)
         }
     }
 
-    /** Called by [IDmeRedirectActivity] when the redirect URI is received. */
+    /** Called by [IDmeRedirectActivity] when the redirect URI is received. Routes to the matching session. */
     internal fun handleRedirect(callbackUrl: String) {
-        pendingAuth?.complete(callbackUrl)
+        val state = try {
+            Uri.parse(callbackUrl).getQueryParameter("state")
+        } catch (_: Exception) {
+            null
+        }
+        if (state != null) {
+            pending[state]?.complete(callbackUrl)
+        } else {
+            // No state in callback (error or non-compliant response) — deliver to any waiting flow
+            pending.values.firstOrNull()?.complete(callbackUrl)
+        }
     }
 
-    /** Called by [IDmeRedirectActivity] when no URI data is present. */
+    /** Called by [IDmeRedirectActivity] when no URI data is present. Cancels all pending flows. */
     internal fun handleCancel() {
-        pendingAuth?.completeExceptionally(IDmeAuthError.UserCancelled)
+        pending.values.forEach { it.completeExceptionally(IDmeAuthError.UserCancelled) }
+        pending.clear()
     }
 }

sdk/src/main/kotlin/com/idme/auth/jwt/JWKSClient.kt

@@ -6,6 +6,8 @@ import com.idme.auth.models.JWKS
 import com.idme.auth.networking.APIEndpoint
 import com.idme.auth.networking.DefaultHTTPClient
 import com.idme.auth.networking.HTTPClient
+import kotlinx.coroutines.sync.Mutex
+import kotlinx.coroutines.sync.withLock
 import kotlinx.serialization.json.Json
 
 /** Interface for fetching JWKS, enabling mock injection. */
@@ -20,16 +22,17 @@ class JWKSClient(
     private val cacheTTL: Long = 3600_000L // 1 hour in milliseconds
 ) : JWKSFetching {
 
-    private var cached: JWKS? = null
-    private var cacheTime: Long = 0
+    @Volatile private var cached: JWKS? = null
+    @Volatile private var cacheTime: Long = 0
+    private val cacheMutex = Mutex()
 
     private val json = Json { ignoreUnknownKeys = true }
 
-    override suspend fun fetchJWKS(): JWKS {
+    override suspend fun fetchJWKS(): JWKS = cacheMutex.withLock {
         val now = System.currentTimeMillis()
         val cachedValue = cached
         if (cachedValue != null && (now - cacheTime) < cacheTTL) {
-            return cachedValue
+            return@withLock cachedValue
         }
 
         val url = APIEndpoint.jwks(environment)
@@ -55,6 +58,6 @@ class JWKSClient(
         cached = jwks
         cacheTime = now
 
-        return jwks
+        jwks
     }
 }

sdk/src/main/kotlin/com/idme/auth/jwt/JWTDecoder.kt

@@ -52,7 +52,6 @@ object JWTDecoder {
 
         // Decode header
         val headerData = Base64URL.decode(headerPart)
-            ?: throw IDmeAuthError.InvalidJWT("Failed to decode JWT header")
         val headerJSON = try {
             Json.parseToJsonElement(String(headerData, Charsets.UTF_8)) as JsonObject
         } catch (e: Exception) {
@@ -66,7 +65,6 @@ object JWTDecoder {
 
         // Decode payload
         val payloadData = Base64URL.decode(payloadPart)
-            ?: throw IDmeAuthError.InvalidJWT("Failed to decode JWT payload")
         val payloadJSON = try {
             Json.parseToJsonElement(String(payloadData, Charsets.UTF_8)) as JsonObject
         } catch (e: Exception) {
@@ -80,7 +78,6 @@ object JWTDecoder {
 
         // Decode signature
         val signatureData = Base64URL.decode(signaturePart)
-            ?: throw IDmeAuthError.InvalidJWT("Failed to decode JWT signature")
 
         val signedPortion = "$headerPart.$payloadPart"