I'm in the process of building a website integrated around a GitHub App of mine.
This website has its own users (from Google oAuth), who can connect their account to their GitHub account by installing my GitHub application.
There's something in the GitHub App install process I cannot wrap my head around:
After a user installs my App on GitHub:
their browser is redirected to a URL ("Post install Setup URL"), with the install ID in the URL.
GitHub calls my webhook to declare the install
The install ID is a sensible info, as if a malicious user of my website (the attacker) can trick my website into associating their account with the GitHub Install ID of somebody else (the victim), my website would operate on the GitHub API of the victim on behalf of the attacker (which is bad!).
Now, my goal is to securely bind this install ID to the user of my website. By secure, I mean that it is impossible for my website to grant an attacker permissions on a victim GitHub install of my app.
Using the GitHub install ID provided in the "Post install Setup URL" to bind this install to an account of my website is insecure, as I have no way to validate that this install ID "belongs" to the user of my website, as the URL can be forged by an attacker knowing a valid install ID of a victim.
Imperfect mitigations:
assert that the install ID is not bound to any other user account of my website
bad as it could be circumvented if for some reason the legit user was never redirected to my website using the "Post install Setup URL" to bind this GitHub install ID to his account
bad as in any case, this would be vulnerable to a "race" (or timing?) attack on the confirmation (if the attacker manages to confirm the valid install ID before the victim)
use in conjunction of a GitHub API Event event received on a webhook
- the webhook is triggered by the Github backend, and thus can't identify of the logged-in website user, which does not help us to bind github install ID to the proper website user.
Am I missing something, or is this a flaw of the App authorization model ?