We’ve improved the overall security of our GitHub authentication. Below is an explanation of the changes and a link to the blog post that explains how to upgrade to the new flow.
TinaCMS communicates with GitHub using a proxy, so the authentication token provided by GitHub is stored as an httpOnly cookie. This stops the client from accessing the token, and that’s all very good. However, this strategy is still vulnerable to Cross-Site Request Forgery (CSRF) attacks. This means that any calls to the proxy, so long as that cookie is still there, will succeed, and that’s not very good.
A common approach to mitigating this problem is to implement the Token Synchronization Pattern. The issue is that this pattern require some form of server-side session storage. That doesn’t jive well with the stateless approach of static sites. So, we’ve introduced a variation that we call the Stateless Token Synchronization Pattern.
Stateless Token Synchronization works by storing a CSRF token as an httpOnly cookie and sending an encrypted (signed by the server’s secret Signing Key ) token that is the amalgamation of the CSRF token and the authentication token provided by Github. This amalgamated token is then stored client-side in local storage and sent to the proxy in a bearer authentication header. Then, server-side, the amalgamated token is decrypted and the CSRF tokens are compared to make sure they match. If all is well, the authentication token is extracted and the call is completed.
This new pattern helps mitigate CSRF attacks and provides the authentication token in an encrypted format, all done statelessly.
See this Blog Post to follow the steps require to upgrade to the new authentication flow.
If you have any question or concerns, discuss it below!