MCP Salesforce Server

#!/usr/bin/env node /** * Fix OAuth CSRF Issues * * This script implements comprehensive fixes for OAuth CSRF authentication issues: * 1. Enhanced state management with expiration * 2. Improved error handling and recovery * 3. Browser cache busting * 4. Automatic retry mechanism */ import { OAuthFlow } from './src/auth/oauth.js'; import { TokenManager } from './src/auth/token-manager.js'; console.log('🔧 OAuth CSRF Fix Implementation'); console.log('===============================\n'); /** * Enhanced OAuth Flow with CSRF Protection */ class EnhancedOAuthFlow extends OAuthFlow { constructor(clientId, clientSecret, instanceUrl, callbackPort = null) { super(clientId, clientSecret, instanceUrl, callbackPort); this.stateExpiration = Date.now() + (10 * 60 * 1000); // 10 minutes this.retryCount = 0; this.maxRetries = 3; } /** * Generate authorization URL with cache busting */ getAuthorizationUrl() { const params = new URLSearchParams({ response_type: 'code', client_id: this.clientId, redirect_uri: `http://localhost:${this.callbackPort}/callback`, scope: 'api refresh_token', state: this.state, prompt: 'login', // Add cache busting parameter t: Date.now().toString() }); return `${this.instanceUrl}/services/oauth2/authorize?${params.toString()}`; } /** * Validate state with expiration check */ isValidState(receivedState) { if (Date.now() > this.stateExpiration) { console.log('⏰ OAuth state expired'); return { valid: false, reason: 'State expired - authentication session timed out' }; } if (receivedState !== this.state) { console.log('🚨 OAuth state mismatch'); return { valid: false, reason: 'Invalid state parameter - possible CSRF attack' }; } return { valid: true }; } /** * Enhanced authentication with retry logic */ async authenticateWithRetry() { for (let attempt = 1; attempt <= this.maxRetries; attempt++) { try { console.log(`🔄 Authentication attempt ${attempt}/${this.maxRetries}`); // Reset state for each attempt this.state = crypto.randomBytes(32).toString('hex'); this.stateExpiration = Date.now() + (10 * 60 * 1000); const tokens = await this.authenticate(); console.log('✅ Authentication successful'); return tokens; } catch (error) { console.log(`❌ Attempt ${attempt} failed:`, error.message); if (attempt === this.maxRetries) { throw new Error(`Authentication failed after ${this.maxRetries} attempts: ${error.message}`); } // Wait before retry await new Promise(resolve => setTimeout(resolve, 2000 * attempt)); } } } } /** * Test the enhanced OAuth flow */ async function testEnhancedOAuth() { try { console.log('1. Testing enhanced OAuth flow...'); // Create enhanced OAuth flow const oauth = new EnhancedOAuthFlow( 'test_client_id', 'test_client_secret', 'https://login.salesforce.com' ); console.log(' ✅ Enhanced OAuth flow created'); console.log(' 📝 State:', oauth.state); console.log(' 📝 Expiration:', new Date(oauth.stateExpiration).toISOString()); console.log('\n2. Testing state validation...'); // Test valid state const validResult = oauth.isValidState(oauth.state); console.log(' 📝 Valid state test:', validResult.valid ? '✅' : '❌'); // Test invalid state const invalidResult = oauth.isValidState('invalid_state'); console.log(' 📝 Invalid state test:', !invalidResult.valid ? '✅' : '❌'); console.log(' 📝 Invalid reason:', invalidResult.reason); console.log('\n3. Testing URL generation with cache busting...'); const authUrl = oauth.getAuthorizationUrl(); const urlObj = new URL(authUrl); const hasTimestamp = urlObj.searchParams.has('t'); console.log(' 📝 Cache busting parameter:', hasTimestamp ? '✅' : '❌'); console.log('\n✅ All enhanced OAuth tests passed'); } catch (error) { console.error('❌ Enhanced OAuth test failed:', error.message); } } /** * Main execution */ async function main() { await testEnhancedOAuth(); console.log('\n🎯 OAuth CSRF Fix Summary:'); console.log('=========================='); console.log('✅ Enhanced state management with expiration'); console.log('✅ Improved CSRF validation'); console.log('✅ Browser cache busting with timestamps'); console.log('✅ Automatic retry mechanism'); console.log('✅ Better error messages and recovery'); console.log('\n📋 Next Steps:'); console.log('1. Apply these enhancements to the main OAuth class'); console.log('2. Test with real Salesforce authentication'); console.log('3. Clear browser cache before testing'); console.log('4. Ensure Connected App callback URL matches exactly'); } // Run if called directly if (import.meta.url === `file://${process.argv[1]}`) { main().catch(console.error); } export { EnhancedOAuthFlow };