Migrate settings auth from encrypted tokens to Redis sessions#152
Closed
buremba wants to merge 6 commits into
Closed
Migrate settings auth from encrypted tokens to Redis sessions#152buremba wants to merge 6 commits into
buremba wants to merge 6 commits into
Conversation
The GetSettingsLink fallback path returned the raw settings URL (containing the encrypted token) directly to the worker/agent in the tool response text and logged it. A compromised or jailbroken agent could exfiltrate this token to access the user's settings page. Fix: gateway fallback now returns type:"settings_link" (same as the normal path) instead of the raw URL. Worker fallback no longer logs or returns the URL to the agent. https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq
…ating endpoints Apply the same defense-in-depth pattern established for settings-link to all gateway endpoints that generate authenticated URLs: Gateway side (never return raw URLs to worker): - /internal/mcp-login: fallback no longer returns loginUrl, returns type:"mcp_login_link" with safe message instead - /internal/integrations/connect: fallback no longer returns oauthUrl, returns safe message matching the interactionService path Worker side (never pass raw gateway messages to agent): - ConnectService MCP fallback: checks response type instead of blindly passing data.message (which could contain URLs) - ConnectService OAuth path: uses fixed messages instead of passing result.message from gateway Principle: the gateway delivers sensitive links to users via interactionService (native platform buttons). The worker/agent never needs to see the actual URL. https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq
…gnostic OAuth
Consolidate all auth token systems into a single pattern: server-side
Redis sessions with opaque session IDs in URLs. No encrypted tokens
travel through URLs anymore.
New components:
- AuthSessionStore: Redis-backed session store (key: auth:session:{uuid})
Replaces AES-256-GCM encrypted token generation for settings links
and integration OAuth init URLs.
- OAuthIdentityStore: Maps OAuth provider identities to platform users.
First access establishes mapping (trusted via chat delivery), subsequent
accesses verify it.
- SettingsOAuthProvider: Configurable OAuth for settings page identity
verification. Provider-agnostic — any OAuth2 provider works via env vars
(SETTINGS_OAUTH_AUTH_URL, _TOKEN_URL, _CLIENT_ID, _CLIENT_SECRET,
_USERINFO_URL, _SCOPES, _PROVIDER_NAME). Uses existing GenericOAuth2Client.
Settings flow changes:
- settings-link.ts: createSession() instead of generateSettingsToken()
- settings-auth.ts: Redis lookup instead of token decryption (now async)
- settings.ts: Handles ?s= session param, OAuth redirect/callback,
Telegram initData creates Redis session instead of synthetic encrypted token
Integration OAuth changes:
- oauth-module.ts: createInitSession() replaces generateSecureToken().
Init URLs use ?s=<sessionId> instead of ?token=<encrypted>.
Metadata stored in auth:session:meta:{sessionId} alongside session.
- routes.ts: Uses oauthModule.createInitSession() for connect flow.
All verifySettingsSession() callers updated to use await (now async).
Legacy generateSettingsToken/verifySettingsToken kept for backward compat
(Slack events, WhatsApp handlers, built-in commands — to migrate later).
https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq
The session bootstrap page now reads the `s` hash param (matching buildSessionUrl) and sends `sessionId` to POST /settings/session. Falls back to legacy `st` and `token` params for backward compat. https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq
…ts and legacy token callers Consolidate all settings URL generation to use ?s= query params with Redis sessions. Remove hash fragment patterns (#s=, #st=, #token=), backward compatibility fallbacks, and all usage of generateSettingsToken, generateChannelSettingsToken, buildSettingsUrl, verifySettingsToken. Rename bootstrap page to Telegram-only since that's the sole use case. https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq
Delete generateSettingsToken, verifySettingsToken, buildSettingsUrl, SETTINGS_TOKEN_HASH_PARAM, SettingsTokenPayload alias, and SettingsTokenOptions from token-service.ts. Update all test files to use session-based auth (?s= query param) instead of encrypted tokens. https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq
Member
Author
|
Getting rid of AI slop |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR replaces the encrypted token-based authentication system for settings pages with a server-side Redis session approach. Instead of embedding sensitive context in encrypted URL tokens, authentication now uses opaque session IDs stored in Redis, improving security and simplifying token management.
Key Changes
New Session Infrastructure:
AuthSessionStore- Redis-backed session store for managing auth context with configurable TTLOAuthIdentityStore- Maps OAuth provider identities to platform usersSettingsOAuthProvider- Handles OAuth flows for settings authenticationAuthentication Flow Updates:
?s=<uuid>) instead of encrypted tokens (#st=...)Type Changes:
SettingsTokenPayloadtoSettingsSessionPayloadthroughout codebasebuildSessionUrl,getSessionStore)generateSettingsToken,generateChannelSettingsToken)Affected Components:
/routes/public/settings.ts) - now session-basedsettings-auth.ts) - session verification instead of token verificationCode Quality:
Type of Change
Testing
Checklist
Related Issues
N/A
Additional Notes
This is a security-focused refactor that eliminates the need to transmit sensitive context in URLs. Session IDs are opaque and short-lived, with all context stored securely server-side in Redis. The change maintains backward compatibility at the API level while improving the underlying authentication mechanism.
https://claude.ai/code/session_01QhKDdik3bc5hkMecqJHFcq