ref: Use local state to improve GitHub integration security (#29321)

2026-05-31 01:42:45 +08:00 · 2024-09-16 16:46:33 +02:00
parent cc9dca8825
commit 7dd11016a4
4 changed files with 37 additions and 18 deletions
--- a/apps/studio/data/integrations/github-authorization-create-mutation.ts
+++ b/apps/studio/data/integrations/github-authorization-create-mutation.ts
@@ -3,12 +3,25 @@ import { toast } from 'sonner'

 import { handleError, post } from 'data/fetchers'
 import type { ResponseError } from 'types'
+import { LOCAL_STORAGE_KEYS } from 'lib/constants'

 export type GitHubAuthorizationCreateVariables = {
  code: string
+  state: string
 }

-export async function createGitHubAuthorization({ code }: GitHubAuthorizationCreateVariables) {
+export async function createGitHubAuthorization({
+  code,
+  state,
+}: GitHubAuthorizationCreateVariables) {
+  const localState = localStorage.getItem(LOCAL_STORAGE_KEYS.GITHUB_AUTHORIZATION_STATE)
+
+  if (state !== localState) {
+    throw new Error('GitHub authorization state mismatch')
+  } else {
+    localStorage.removeItem(LOCAL_STORAGE_KEYS.GITHUB_AUTHORIZATION_STATE)
+  }
+
  const { data, error } = await post('/platform/integrations/github/authorization', {
    body: { code },
  })
@@ -31,21 +44,12 @@ export const useGitHubAuthorizationCreateMutation = ({
  >,
  'mutationFn'
 > = {}) => {
-  const queryClient = useQueryClient()
-
  return useMutation<
    GitHubAuthorizationCreateData,
    ResponseError,
    GitHubAuthorizationCreateVariables
  >((vars) => createGitHubAuthorization(vars), {
    async onSuccess(data, variables, context) {
-      // const { projectRef, id } = variables
-
-      // await Promise.all([
-      //   queryClient.invalidateQueries(githubAuthorizationKeys.list(projectRef)),
-      //   queryClient.invalidateQueries(githubAuthorizationKeys.githubAuthorization(projectRef, id)),
-      // ])
-
      await onSuccess?.(data, variables, context)
    },
    async onError(data, variables, context) {