Add Oauth redirect hosts to CSP action-form

app/controllers/oauth/auth_base_controller.rb

@@ -34,6 +34,11 @@ module OAuth
   # See config/initializers/doorkeeper.rb
   class AuthBaseController < ::ApplicationController
     skip_before_action :check_if_login_required
+    after_action :extend_content_security_policy
     layout 'only_logo'
+
+    def extend_content_security_policy
+      use_content_security_policy_named_append(:oauth)
+    end
   end
 end

config/initializers/secure_headers.rb

@@ -73,3 +73,14 @@ SecureHeaders::Configuration.default do |config|
     connect_src: connect_src
   }
 end
+
+SecureHeaders::Configuration.named_append(:oauth) do |request|
+  hosts = []
+  if request.controller_instance.respond_to?(:pre_auth, true)
+    allowed_redirect_urls = request.controller_instance.send(:pre_auth)&.client&.application&.redirect_uri
+    urls = allowed_redirect_urls.to_s.split
+    hosts = urls.map { |url| URI.join(url, '/') }.map(&:to_s)
+  end
+
+  { form_action: hosts }
+end

spec/features/oauth/authorization_code_flow_spec.rb

@@ -30,11 +30,13 @@ require 'spec_helper'
 
 describe 'OAuth authorization code flow', type: :feature, js: true do
   let!(:user) { FactoryBot.create(:user) }
+  let!(:redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
+  let!(:allowed_redirect_uri) { redirect_uri }
   let!(:app) { FactoryBot.create(:oauth_application, name: 'Cool API app!') }
   let(:client_secret) { app.plaintext_secret }
 
-  def oauth_path(client_id)
-    "/oauth/authorize?response_type=code&client_id=#{client_id}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=api_v3"
+  def oauth_path(client_id, redirect_url)
+    "/oauth/authorize?response_type=code&client_id=#{client_id}&redirect_uri=#{CGI.escape(redirect_url)}&scope=api_v3"
   end
 
   before do
@@ -42,7 +44,7 @@ describe 'OAuth authorization code flow', type: :feature, js: true do
   end
 
   it 'can authorize and manage an OAuth application grant' do
-    visit oauth_path app.uid
+    visit oauth_path app.uid, redirect_uri
 
     # Expect we're guided to the login screen
     login_with user.login, 'adminADMIN!', visit_signin_path: false
@@ -54,6 +56,9 @@ describe 'OAuth authorization code flow', type: :feature, js: true do
     expect(page).to have_selector('li strong', text: I18n.t('oauth.scopes.api_v3'))
     expect(page).to have_selector('li', text: I18n.t('oauth.scopes.api_v3_text'))
 
+    # Check that the hosts of allowed redirection urls are present in the content security policy
+    expect(page.response_headers['content-security-policy']).to include("form-action 'self' urn:ietf:wg:oauth:2.0:oob;")
+
     # Authorize
     find('input.button[value="Authorize"]').click
 
@@ -108,7 +113,7 @@ describe 'OAuth authorization code flow', type: :feature, js: true do
   end
 
   it 'does not authenticate unknown applications' do
-    visit oauth_path 'WAT'
+    visit oauth_path 'WAT', redirect_uri
 
     # Expect we're guided to the login screen
     login_with user.login, 'adminADMIN!', visit_signin_path: false
@@ -120,4 +125,20 @@ describe 'OAuth authorization code flow', type: :feature, js: true do
     user.oauth_grants.reload
     expect(user.oauth_grants.count).to eq 0
   end
+
+  context 'with real urls as allowed redirect uris' do
+    let!(:redirect_uri) { "https://foo.com/foo " }
+    let!(:allowed_redirect_uri) { "#{redirect_uri} https://bar.com/bar" }
+    it 'can authorize and manage an OAuth application grant' do
+      visit oauth_path app.uid, redirect_uri
+
+      # Expect we're guided to the login screen
+      login_with user.login, 'adminADMIN!', visit_signin_path: false
+
+      # Check that the hosts of allowed redirection urls are present in the content security policy
+      expect(page.response_headers['content-security-policy']).to(
+        include("form-action 'self' https://foo.com/ https://bar.com/;")
+      )
+    end
+  end
 end