Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login Failure with OpenID Connect Due to Incorrect Base64 Decoding of Japanese Characters in JWT #388

Open
miikun77 opened this issue Jan 8, 2025 · 1 comment
Open

Login Failure with OpenID Connect Due to Incorrect Base64 Decoding of Japanese Characters in JWT #388

miikun77 opened this issue Jan 8, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@miikun77
Copy link

miikun77 commented Jan 8, 2025

Description

The current implementation of base64 decoding in the frontend application leads to incorrect handling of non-ASCII characters, specifically Japanese characters. This leads to a complete login failure when processing user information extracted from JWT tokens received during the OpenID Connect login flow.

Current behavior

The code responsible for decoding the base64-encoded payload of the JWT token (obtained via OpenID Connect) incorrectly replaces only the first instance of - with + and _ with /. Additionally, it fails to properly decode non-ASCII characters.

Steps to reproduce

  1. Attempt to log in to Vikunja using OpenID Connect.
  2. Use an account where the returned JWT token contains Japanese characters in the user information.
  3. Observe that the login process fails.

Additional context

The current code for base64 decoding in frontend/src/stores/auth.ts is:

const base64 = jwt.split('.')[1].replace('-', '+').replace('_', '/')
const info = new UserModel(JSON.parse(atob(base64)))

This code only replaces the first instance of - and _. A correct implementation should use regular expressions with the g (global) flag to replace all occurrences.

// Replace all occurrences of - and _
const base64 = jwt.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')
// Decode correctly, handling non-ASCII characters
const info = new UserModel(JSON.parse(decodeURIComponent(window.atob(base64).split('').map(function(c) {
        return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);
    }).join(''))))

Reference

This issue is similar to a problem reported in the microsoft-authentication-library-for-js repository: AzureAD/microsoft-authentication-library-for-js#985

Note

I am including the code directly in this report because my Gitea account is not yet approved. I apologize for any inconvenience this may cause.

Vikunja Version

v0.24.6

Browser and version

Chrome/131.0.6778.206

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response
@kolaente kolaente added the bug Something isn't working label Jan 10, 2025
@kolaente
Copy link
Member

Is that reproducible on the demo when you set the accounts' name to contain non-ascii characters and then log in again?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kolaente @miikun77