diff options
author | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2012-12-23 04:16:58 -0300 |
---|---|---|
committer | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2012-12-23 04:16:58 -0300 |
commit | a517d94b0871434f45fab4d83cf6dd9954ee9a76 (patch) | |
tree | 871a8e52ce35eab2fd8d66023300ffad6d7800d8 /askbot/deps | |
parent | 661460d593d32cbc91382b30dbb2a4034701114f (diff) | |
download | askbot-a517d94b0871434f45fab4d83cf6dd9954ee9a76.tar.gz askbot-a517d94b0871434f45fab4d83cf6dd9954ee9a76.tar.bz2 askbot-a517d94b0871434f45fab4d83cf6dd9954ee9a76.zip |
added csrf and deny request flow to oauth2, tested on fb only
Diffstat (limited to 'askbot/deps')
-rw-r--r-- | askbot/deps/django_authopenid/util.py | 4 | ||||
-rw-r--r-- | askbot/deps/django_authopenid/views.py | 51 |
2 files changed, 36 insertions, 19 deletions
diff --git a/askbot/deps/django_authopenid/util.py b/askbot/deps/django_authopenid/util.py index 72ee09df..75169cc9 100644 --- a/askbot/deps/django_authopenid/util.py +++ b/askbot/deps/django_authopenid/util.py @@ -796,7 +796,7 @@ class OAuthConnection(object): return auth_url -def get_oauth2_starter_url(provider_name): +def get_oauth2_starter_url(provider_name, csrf_token): """returns redirect url for the oauth2 protocol for a given provider""" from sanction.client import Client @@ -809,7 +809,7 @@ def get_oauth2_starter_url(provider_name): client_id=client_id, redirect_uri=redirect_uri ) - return client.auth_uri() + return client.auth_uri(state=csrf_token) def ldap_check_password(username, password): diff --git a/askbot/deps/django_authopenid/views.py b/askbot/deps/django_authopenid/views.py index a7dcabb8..b5a26fd3 100644 --- a/askbot/deps/django_authopenid/views.py +++ b/askbot/deps/django_authopenid/views.py @@ -33,6 +33,7 @@ import datetime from django.http import HttpResponseRedirect, get_host, Http404 from django.http import HttpResponse +from django.http import HttpResponseBadRequest from django.template import RequestContext, Context from django.conf import settings as django_settings from askbot.conf import settings as askbot_settings @@ -273,26 +274,40 @@ def complete_oauth2_signin(request): else: next_url = reverse('index') - providers = util.get_enabled_login_providers() - try: - provider_name = request.session['provider_name'] - params = providers[provider_name] - assert(params['type'] == 'oauth2') - except Exception: + if 'error' in request.GET: + return HttpResponseRedirect(reverse('index')) + + csrf_token = request.GET.get('state', None) + if csrf_token is None or csrf_token != request.session.pop('oauth2_csrf_token'): return HttpResponseBadRequest() - client_id = getattr(askbot_settings, provider_name.upper() + '_KEY') - client_secret = getattr(askbot_settings, provider_name.upper() + '_SECRET') + providers = util.get_enabled_login_providers() + provider_name = request.session.pop('provider_name') + params = providers[provider_name] + assert(params['type'] == 'oauth2') - client = OAuth2Client( - token_endpoint=params['token_endpoint'], - resource_endpoint=params['resource_endpoint'], - redirect_uri=askbot_settings.APP_URL + reverse('user_complete_oauth2_signin'), - client_id=client_id, - client_secret=client_secret - ) + client_id = getattr( + askbot_settings, + provider_name.upper() + '_KEY' + ) + + client_secret = getattr( + askbot_settings, + provider_name.upper() + '_SECRET' + ) - client.request_token(code=request.GET['code'], parser=params['response_parser']) + client = OAuth2Client( + token_endpoint=params['token_endpoint'], + resource_endpoint=params['resource_endpoint'], + redirect_uri=askbot_settings.APP_URL + reverse('user_complete_oauth2_signin'), + client_id=client_id, + client_secret=client_secret + ) + + client.request_token( + code=request.GET['code'], + parser=params['response_parser'] + ) #todo: possibly set additional parameters here user_id = params['get_user_id_function'](client) @@ -557,7 +572,9 @@ def signin(request, template_name='authopenid/signin.html'): elif login_form.cleaned_data['login_type'] == 'oauth2': try: - redirect_url = util.get_oauth2_starter_url(provider_name) + csrf_token = generate_random_key(length=32) + redirect_url = util.get_oauth2_starter_url(provider_name, csrf_token) + request.session['oauth2_csrf_token'] = csrf_token request.session['provider_name'] = provider_name return HttpResponseRedirect(redirect_url) except util.OAuthError, e: |