From 1bc442b1d33a2dd4651510f402536cdff7fa08d6 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Wed, 4 Jun 2025 17:01:32 +0900 Subject: [PATCH 1/2] =?UTF-8?q?[FIX]:=20tokenType=EA=B9=8C=EC=A7=80=20?= =?UTF-8?q?=EA=B2=80=EC=82=AC=ED=95=98=EC=97=AC=20OAuth=20Flow=EC=9D=B8?= =?UTF-8?q?=EC=A7=80=20=ED=99=95=EC=9D=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 71 ++++++++++++------- 1 file changed, 46 insertions(+), 25 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index 6e95120..283b19b 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -132,34 +132,53 @@ export class AccessTokenLeakController { * @param text - 검사할 텍스트 * @returns 토큰 값이 있으면 해당 값, 없으면 null */ -private extractTokenFromText(text: string): string | null { + private extractTokenFromText(text: string): string | null { // 토큰 관련 키워드 리스트 const tokenKeys = [ - 'access_token', - 'accesstoken', - 'Access-Token', - 'Refresh_Token', - 'Refresh-Token', - 'RefreshToken', - 'Secret_Token', - 'Secret-Token', - 'SecretToken', - 'SSO_Auth', - 'SSO-Auth', - 'SSOAuth', - 'auth_token', - 'session_token' - ]; + 'access_token', + 'accesstoken', + 'Access-Token', + 'Refresh_Token', + 'Refresh-Token', + 'RefreshToken', + 'Secret_Token', + 'Secret-Token', + 'SecretToken', + 'SSO_Auth', + 'SSO-Auth', + 'SSOAuth', + 'auth_token', + 'session_token' + ]; - // 정규표현식 패턴 리스트 생성 + const tokenTypeKeys = [ + 'token_type', + 'tokenType' + ]; + + // 정규표현식 토큰 타입 유무 패턴 리스트 생성 + const tokenTypeRegexes: RegExp[] = []; + for (const key of tokenTypeKeys) { + // JSON 형식: "token_type": "Bearer" + tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i')); + // 일반 key=value 형식: token_type=Bearer + tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i')); + // 공백 있는 형식: token_type : Bearer + tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i')); + } + + // token_type=bearer 형태 중 하나라도 포함되는지 확인 + const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text)); + + // 정규표현식 토큰 유무 패턴 리스트 생성 const tokenPatterns: RegExp[] = []; for (const key of tokenKeys) { - // 1. key=token 또는 key: token - tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i')); + // 1. key=token 또는 key: token + tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i')); - // 2. JSON 형태의 "key": "token" - tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i')); + // 2. JSON 형태의 "key": "token" + tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i')); } // 3. Authorization: Bearer 형태 @@ -167,12 +186,14 @@ private extractTokenFromText(text: string): string | null { // 모든 패턴에 대해 검사 for (const pattern of tokenPatterns) { - const match = pattern.exec(text); - if (match && match[1]) { - return match[1]; + const match = pattern.exec(text); + if (match && match[1]) { + if(hasTokenTypeBearer){ + return match[1]; } + } } return null; - } + } } \ No newline at end of file From ac53cd4be5804952b16e4064ed4175fcbdc673c8 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Wed, 4 Jun 2025 17:04:39 +0900 Subject: [PATCH 2/2] =?UTF-8?q?[FIX]:=20index=EC=9D=98=20response=EC=97=90?= =?UTF-8?q?=20=EC=9C=84=EC=B9=98=ED=95=98=EB=8D=98=20request=EA=B2=80?= =?UTF-8?q?=EC=82=AC=20=ED=95=A8=EC=88=98=20=EC=9D=B4=EB=8F=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 43d7516..a5e9113 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -22,7 +22,6 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => { await csrfCheck.checker(sdk, req, res); //await pkceCheckController.test(sdk, req); - await tokenCheck.testReq(sdk, req); await tokenCheck.testResp(sdk, res, req); await ScopeDetectionController.scan(sdk, req.getUrl()); await redirectBypassController.testAsync(sdk, req, res); @@ -38,6 +37,7 @@ export function init(sdk: SDK) { }); sdk.events.onInterceptRequest(async (sdk, req: Request) => { + await tokenCheck.testReq(sdk, req); await pkceCheckController.test(sdk, req); }); /*