Security issues with custom authentication module (Question)

[EricNetsch]

I built a custom auth module and hooked it up to parse-server. Everything is working great and as expected.

The one issue I am having is security. I am unable to pass more parameters (Hmac etc) to the logInWith call to verify the source of the login and ensure the user is valid. It seems like in most cases using the just the "public" token to auth a user is a large security risk.

Is there any way to pass additional verification details in the logInWith call? In my custom auth module it seems the only data I receive is the user authdata. Ideally, I could pass additional hmac verification data to ensure the matched user is coming from a verified source.

Any advice or solutions would be greatly appreciated.

We use GitHub Issues for bugs.

If you have a non-bug question, ask on Stack Overflow or Server Fault:

• https://stackoverflow.com/questions/tagged/parse.com
• https://serverfault.com/tags/parse

If you have a vulnerability disclosure, please follow our policy available here https://github.com/parse-community/parse-server/blob/master/SECURITY.md

You may also search through existing issues before opening a new one: https://github.com/parse-community/parse-server/issues?utf8=%E2%9C%93&q=is%3Aissue

--- Please use this template. If you don't use this template, your issue may be closed without comment. ---

Issue Description

Describe your issue in as much detail as possible.

Steps to reproduce

Please include a detailed list of steps that reproduce the issue. Include curl commands when applicable.

Expected Results

What you expected to happen.

Actual Outcome

What is happening instead.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : [FILL THIS OUT]
  • Operating System: [FILL THIS OUT]
  • Hardware: [FILL THIS OUT]
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): [FILL THIS OUT]

• Database

  • MongoDB version: [FILL THIS OUT]
  • Storage engine: [FILL THIS OUT]
  • Hardware: [FILL THIS OUT]
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): [FILL THIS OUT]

Logs/Trace

Include all relevant logs. You can turn on additional logging by configuring VERBOSE=1 in your environment.

[flovilmart]

Do you validate the authData (access token + id) against your custom auth provider? This is what brings the security and if either the access token is invalid or mismatches the provided user id, the login/linking process is failed

[EricNetsch]

Thanks!
I figured out a solution. First I had to update my parse-server version so it could support multiple parameters in my Authdata per this issue #3867 (This opened up a lot of options). Now the loginWith call also sends the hmac verification parameters from my auth provider. Also, included in the hmac parameters is a timestamp which is checked in my module to verify the call even further.
Much more secure now.