Security: fix deserialization, timing attack, open redirect, and name bug

README.md

@@ -1,6 +1,11 @@
 # df-oauth
 DreamFactory OAuth support.
 
+
+## Overview
+
+DreamFactory is a secure, self-hosted enterprise data access platform that provides governed API access to any data source, connecting enterprise applications and on-prem LLMs with role-based access and identity passthrough.
+
 ## Configure DreamFactory OAuth Connector
 
 1. Log in to the DreamFactory admin interface.

src/Components/DfOAuthOneProvider.php

@@ -33,7 +33,11 @@ public function redirect()
             \Cache::put('oauth.temp', $temp, 180);
         } else {
             $temp = $this->server->getTemporaryCredentials();
-            \Cache::put('oauth_temp', serialize($temp), 180);
+            // Store as JSON to avoid insecure unserialize() on cache retrieval
+            \Cache::put('oauth_temp', json_encode([
+                'identifier' => $temp->getIdentifier(),
+                'secret' => $temp->getSecret(),
+            ]), 180);
         }
 
         return new RedirectResponse($this->server->getAuthorizationUrl($temp));
@@ -49,10 +53,8 @@ public function getOAuthToken()
         if (!$this->isStateless()) {
             return \Cache::get('oauth.temp');
         } else {
-            /** @var TemporaryCredentials $temp */
-            $temp = unserialize(\Cache::get('oauth_temp'));
-
-            return $temp->getIdentifier();
+            $data = json_decode(\Cache::get('oauth_temp'), true);
+            return $data['identifier'] ?? null;
         }
     }
 
@@ -68,7 +70,10 @@ protected function getToken()
                 $temp, $this->request->get('oauth_token'), $this->request->get('oauth_verifier')
             );
         } else {
-            $temp = unserialize(\Cache::pull('oauth_temp'));
+            $data = json_decode(\Cache::pull('oauth_temp'), true);
+            $temp = new TemporaryCredentials();
+            $temp->setIdentifier($data['identifier'] ?? '');
+            $temp->setSecret($data['secret'] ?? '');
 
             return $this->server->getTokenCredentials(
                 $temp, $this->request->get('oauth_token'), $this->request->get('oauth_verifier')

src/Resources/SSO.php

@@ -76,12 +76,9 @@ protected function handlePOST()
         } catch (\Exception $e) {
             Log::error('OAuth callback failed:', ['error' => $e->getMessage()]);
 
-            // For OAuth callbacks, we need to redirect to an error page instead of returning JSON
-            $errorMessage = urlencode($e->getMessage());
-
-            // Check if we're in development mode (detect by checking if port 4200 is accessible)
             $baseUrl = $this->getRedirectBaseUrl();
-            $redirectUrl = $baseUrl . "?error=" . $errorMessage;
+            // Use generic error message in redirect to avoid leaking internal details
+            $redirectUrl = $baseUrl . "?error=" . urlencode('Authentication failed. Please try again.');
             Log::info('OAuth error redirect URL:', ['url' => $redirectUrl]);
 
             return $this->respond()

src/Services/BaseOAuthService.php

@@ -256,7 +256,7 @@ public function loginOAuthUser(OAuthUserContract $user)
      */
     public function createShadowOAuthUser(OAuthUserContract $OAuthUser)
     {
-        $fullName = $OAuthUser->getName() || $OAuthUser->getNickname();
+        $fullName = $OAuthUser->getName() ?: $OAuthUser->getNickname();
         @list($firstName, $lastName) = explode(' ', $fullName);
 
         $email = $OAuthUser->getEmail();
@@ -337,23 +337,24 @@ protected function isValidRedirectUrl($url)
             return false;
         }
 
-        // Check against whitelist if configured
+        // Check against whitelist — default to own host if no whitelist configured
         $whitelist = config('df.oauth.allowed_redirect_domains', []);
-        if (!empty($whitelist)) {
-            $host = $parsed['host'] ?? '';
-            $allowed = false;
-            foreach ($whitelist as $pattern) {
-                if (fnmatch($pattern, $host)) {
-                    $allowed = true;
-                    break;
-                }
-            }
-            if (!$allowed) {
-                return false;
+        if (empty($whitelist)) {
+            // No whitelist configured: only allow redirects to the same host
+            $appHost = parse_url(config('app.url', ''), PHP_URL_HOST);
+            $whitelist = $appHost ? [$appHost] : [];
+        }
+
+        $host = $parsed['host'] ?? '';
+        $allowed = false;
+        foreach ($whitelist as $pattern) {
+            if (fnmatch($pattern, $host)) {
+                $allowed = true;
+                break;
             }
         }
 
-        return true;
+        return $allowed;
     }
 
     /**

src/Services/Google.php

@@ -105,7 +105,7 @@ protected function findRoleByGroupEmail($groupEmail)
      */
     public function createShadowOAuthUser(OAuthUserContract $OAuthUser)
     {
-        $fullName = $OAuthUser->getName() || $OAuthUser->getNickname();
+        $fullName = $OAuthUser->getName() ?: $OAuthUser->getNickname();
         @list($firstName, $lastName) = explode(' ', $fullName);
 
         $email = $OAuthUser->getEmail();

src/Services/HerokuAddonSSOService.php

@@ -117,7 +117,7 @@ private function checkToken($token, $timestamp, $resourceId)
                 $secret = $this->getConfig('secret');
             }
         }
-        if (sha1("{$resourceId}:{$secret}:{$timestamp}") !== $token) {
+        if (!hash_equals(sha1("{$resourceId}:{$secret}:{$timestamp}"), $token)) {
             throw new ForbiddenException('Token invalid. Please provide valid token');
         }
     }