added csrf and deny request flow to oauth2, tested on fb only

2 files changed, 36 insertions, 19 deletions

diff --git a/askbot/deps/django_authopenid/util.py b/askbot/deps/django_authopenid/util.py
index 72ee09df..75169cc9 100644
--- a/askbot/deps/django_authopenid/util.py
+++ b/askbot/deps/django_authopenid/util.py
@@ -796,7 +796,7 @@ class OAuthConnection(object):
 
         return auth_url
 
-def get_oauth2_starter_url(provider_name):
+def get_oauth2_starter_url(provider_name, csrf_token):
     """returns redirect url for the oauth2 protocol for a given provider"""
     from sanction.client import Client
 
@@ -809,7 +809,7 @@ def get_oauth2_starter_url(provider_name):
         client_id=client_id,
         redirect_uri=redirect_uri
     )
-    return client.auth_uri()
+    return client.auth_uri(state=csrf_token)
 
 
 def ldap_check_password(username, password):
diff --git a/askbot/deps/django_authopenid/views.py b/askbot/deps/django_authopenid/views.py
index a7dcabb8..b5a26fd3 100644
--- a/askbot/deps/django_authopenid/views.py
+++ b/askbot/deps/django_authopenid/views.py
@@ -33,6 +33,7 @@
 import datetime
 from django.http import HttpResponseRedirect, get_host, Http404
 from django.http import HttpResponse
+from django.http import HttpResponseBadRequest
 from django.template import RequestContext, Context
 from django.conf import settings as django_settings
 from askbot.conf import settings as askbot_settings
@@ -273,26 +274,40 @@ def complete_oauth2_signin(request):
     else:
         next_url = reverse('index')
 
-    providers = util.get_enabled_login_providers()
-    try:
-        provider_name = request.session['provider_name']
-        params = providers[provider_name]
-        assert(params['type'] == 'oauth2')
-    except Exception:
+    if 'error' in request.GET:
+        return HttpResponseRedirect(reverse('index'))
+
+    csrf_token = request.GET.get('state', None)
+    if csrf_token is None or csrf_token != request.session.pop('oauth2_csrf_token'):
         return HttpResponseBadRequest()
 
-    client_id = getattr(askbot_settings, provider_name.upper() + '_KEY')
-    client_secret = getattr(askbot_settings, provider_name.upper() + '_SECRET')
+    providers = util.get_enabled_login_providers()
+    provider_name = request.session.pop('provider_name')
+    params = providers[provider_name]
+    assert(params['type'] == 'oauth2')
 
-    client = OAuth2Client(
-                    token_endpoint=params['token_endpoint'],
-                    resource_endpoint=params['resource_endpoint'],
-                    redirect_uri=askbot_settings.APP_URL + reverse('user_complete_oauth2_signin'),
-                    client_id=client_id,
-                    client_secret=client_secret
-                )
+    client_id = getattr(
+            askbot_settings,
+            provider_name.upper() + '_KEY'
+        )
+
+    client_secret = getattr(
+            askbot_settings,
+            provider_name.upper() + '_SECRET'
+        )
 
-    client.request_token(code=request.GET['code'], parser=params['response_parser'])
+    client = OAuth2Client(
+            token_endpoint=params['token_endpoint'],
+            resource_endpoint=params['resource_endpoint'],
+            redirect_uri=askbot_settings.APP_URL + reverse('user_complete_oauth2_signin'),
+            client_id=client_id,
+            client_secret=client_secret
+        )
+
+    client.request_token(
+        code=request.GET['code'],
+        parser=params['response_parser']
+    )
 
     #todo: possibly set additional parameters here
     user_id = params['get_user_id_function'](client)
@@ -557,7 +572,9 @@ def signin(request, template_name='authopenid/signin.html'):
 
             elif login_form.cleaned_data['login_type'] == 'oauth2':
                 try:
-                    redirect_url = util.get_oauth2_starter_url(provider_name)
+                    csrf_token = generate_random_key(length=32)
+                    redirect_url = util.get_oauth2_starter_url(provider_name, csrf_token)
+                    request.session['oauth2_csrf_token'] = csrf_token
                     request.session['provider_name'] = provider_name
                     return HttpResponseRedirect(redirect_url)
                 except util.OAuthError, e: