Upgrade Notice: Improved GitHub Security

We’ve improved the overall security of our GitHub authentication. Below is an explanation of the changes and a link to the blog post that explains how to upgrade to the new flow.

TinaCMS communicates with GitHub using a proxy, so the authentication token provided by GitHub is stored as an httpOnly cookie. This stops the client from accessing the token, and that’s all very good. However, this strategy is still vulnerable to Cross-Site Request Forgery (CSRF) attacks. This means that any calls to the proxy, so long as that cookie is still there, will succeed, and that’s not very good.

A common approach to mitigating this problem is to implement the Token Synchronization Pattern. The issue is that this pattern require some form of server-side session storage. That doesn’t jive well with the stateless approach of static sites. So, we’ve introduced a variation that we call the Stateless Token Synchronization Pattern.

Stateless Token Synchronization works by storing a CSRF token as an httpOnly cookie and sending an encrypted (signed by the server’s secret Signing Key ) token that is the amalgamation of the CSRF token and the authentication token provided by Github. This amalgamated token is then stored client-side in local storage and sent to the proxy in a bearer authentication header. Then, server-side, the amalgamated token is decrypted and the CSRF tokens are compared to make sure they match. If all is well, the authentication token is extracted and the call is completed.

This new pattern helps mitigate CSRF attacks and provides the authentication token in an encrypted format, all done statelessly.

See this Blog Post to follow the steps require to upgrade to the new authentication flow.

If you have any question or concerns, discuss it below!

3 Likes

@jhuggett thank you for this update.

I started a brand new project and followed https://tinacms.org/guides/nextjs/github-open-authoring/initial-setup, but I am still getting “Deprecation Notice: You are using an old authentication flow, please migrate to the new one” and “POST api/proxy-github 401 (Unauthorized)”.

The code can be found here https://github.com/cj/young-actors-house

Cheers!

Hello @cj ,

Are you still able to enter edit mode and save changes or is that failing as well?

If it does work, then I think everything should be working actually. The initial unauthorized proxy call is to check if you have auth credentials already, so that should be normal. When you mentioned this it got me thinking, the deprecation notice will flare even if you are using the right flow because the token isn’t there yet on the first enter edit mode call (I’ll have to fix that).

And if enter edit mode is working, then to make sure you are using the new flow, check your local storage for tinacms-github-token. If that’s there and everything works then you’re golden.

@jhuggett unfortunately I am not able to save, but I can enter edit mode; here is a screen recording. https://share.getcloudapp.com/WnubmzG2

@cj

in pages/_app.tsx try changing

- sidebar: true,
- toolbar: true,
+ sidebar: props.pageProps.preview,
+ toolbar: props.pageProps.preview,

@logan that did the trick, thank you!

I created a pull request to update the docs https://github.com/tinacms/tinacms.org/pull/515