Skip to content

Auth hardening: open redirect, missing secure flag, weak timing comparison#68

Open
Copilot wants to merge 2 commits intomainfrom
copilot/fix-auth-security-issues
Open

Auth hardening: open redirect, missing secure flag, weak timing comparison#68
Copilot wants to merge 2 commits intomainfrom
copilot/fix-auth-security-issues

Conversation

Copy link
Contributor

Copilot AI commented Feb 26, 2026
edited
Loading

Addresses three security issues in app/actions/auth.ts: open redirect via unvalidated redirectTo, session cookies missing the secure flag in production, and a custom timing-safe comparison weaker than the stdlib equivalent.

Changes

  • Open redirectredirectTo is now validated to only accept paths starting with / and not //; anything else falls back to "/"
  • Secure cookie flag — both claudeye_session and claudeye_auth now set secure: process.env.NODE_ENV === "production"
  • crypto.timingSafeEqual — replaced the custom XOR loop with Node.js crypto.timingSafeEqual; strings are converted to Buffer before comparison, with a dummy self-comparison when lengths differ to preserve constant-time behaviour
// Before
const redirectTo = (formData.get("redirectTo") as string | null) || "/";

// After
const rawRedirect = (formData.get("redirectTo") as string | null) ?? "/";
const redirectTo = rawRedirect.startsWith("/") && !rawRedirect.startsWith("//") ? rawRedirect : "/";
// Before — custom XOR loop
function timingSafeEqual(a: string, b: string): boolean { ... }

// After — stdlib
import { timingSafeEqual as cryptoTimingSafeEqual } from "node:crypto";
function timingSafeEqual(a: string, b: string): boolean {
  const bufA = Buffer.from(a);
  const bufB = Buffer.from(b);
  if (bufA.length !== bufB.length) {
    cryptoTimingSafeEqual(bufA, bufA); // dummy comparison, constant time
    return false;
  }
  return cryptoTimingSafeEqual(bufA, bufB);
}

Tests covering the redirect validation and secure flag behaviour are added in __tests__/actions/auth.test.ts.

Type of Change

  • Bug fix
  • New feature
  • Refactor
  • Documentation

Checklist

  • npm run lint passes
  • npx tsc --noEmit passes
  • npm run test:run passes
  • npm run build succeeds
Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] Auth hardening: open redirect, missing secure flag, weak comparison</issue_title>
<issue_description>## Description

Multiple auth-related security issues across the authentication flow.

Issues

1. Open redirect via redirectTo

app/actions/auth.ts:9: redirectTo is taken from form data and used without validation. An attacker can set redirectTo=https://evil.com to redirect users after login.

Fix: Validate that redirectTo starts with / and does not start with //.

2. Missing secure flag on session cookie

app/actions/auth.ts:34-39: Session cookie is set without secure: true in production, allowing transmission over HTTP.

Fix: Add secure: process.env.NODE_ENV === 'production' to cookie options.

3. Weak timing-safe comparison

app/actions/auth.ts:58-74: Custom timingSafeEqual implementation is inferior to the built-in crypto.timingSafeEqual.

Fix: Use crypto.timingSafeEqual from Node.js stdlib.

4. Credentials in plaintext env vars

lib/evals/server-spawn.ts:164-173: Auth credentials passed as plaintext environment variables to spawned processes.

Related Issues

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@NiveditJain
Fix auth security: open redirect, secure flag, crypto.timingSafeEqual
3669485 
Co-authored-by: NiveditJain <40313233+NiveditJain@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix authentication security vulnerabilities including open redirect Auth hardening: open redirect, missing secure flag, weak timing comparison Feb 26, 2026
@NiveditJain NiveditJain marked this pull request as ready for review February 27, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@NiveditJain NiveditJain

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Auth hardening: open redirect, missing secure flag, weak comparison

2 participants

@NiveditJain