@sohamganatrachecks…fix/critical-auth-security-cors-account-linking → master3 files · +24 −18review: @kaavee315review: @anshugarg15updated 2w agoFixes multiple critical vulnerabilities discovered during investigation of bulk account takeover attempts via Oxylabs residential proxy (79.116.161.224, Madrid, Spain). Datadog threat_intel flagged all requests as intention: suspicious, category: residential_proxy, risks: AD_FRAUD, CALLBACK_PROXY.
The OAuth callback endpoint echoed any Origin header with Access-Control-Allow-Credentials: true, and returned the JWT token in the response body. This enabled a bulk session-stealing attack:
.composio.dev session cookie (cookie domain is .composio.dev = all subdomains)callback.ts): Replace echo-any-origin with isDashboardOrigin() validation. Only known dashboard origins get Access-Control-Allow-Origin + credentials: true. Unknown origins get no CORS headers.login.ts, callback.ts): Origin header validated against isDashboardOrigin() before constructing redirect URIs. Prevents open redirect to attacker-controlled domains.login.ts): User-supplied redirectUri query param must start with the validated origin. Prevents arbitrary redirect injection.better_auth/index.ts): Added trustedProviders: ['google', 'github'] to prevent untrusted providers from auto-linking to existing accounts by email.login.ts): Replaced Math.random().toString(36) with crypto.randomUUID()..composio.dev to specific subdomainsAccess-Control-Allow-Origin: * in common.ts and with_rate_limit.tsdashboard.composio.dev🤖 Generated with Claude Code
Based on git blame analysis of 3 file(s):
| Contributor | Contribution | Files |
|---|---|---|
| sarahsimionescu | 50% | 2 |
| Rahul Tarak | 35% | 3 |
| Himanshu Dixit | 3% | 2 |
| Karan Vaidya | 3% | 2 |
| Zen | 2% | 1 |
Based on git history, sarahsimionescu or Rahul Tarak would be good reviewer(s) for this PR.
🤖 Based on git blame with recency weighting (recent edits count more).
