From b71eecb0e76bd2e68bd0767a4877ff0e8b0e1dea Mon Sep 17 00:00:00 2001 From: nyiyui <+@nyiyui.ca> Date: Sun, 10 Dec 2023 20:25:48 -0500 Subject: [PATCH] oauth: reenable pkce and state checking Seems to work on my local scavenger (with production maclyonsden.com), so I'll enable this and debug with issues on production scavenger. --- core/views/auth.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/core/views/auth.py b/core/views/auth.py index 08a6af7..58524e1 100644 --- a/core/views/auth.py +++ b/core/views/auth.py @@ -44,7 +44,7 @@ def oauth_login(q): redirect_uri = q.build_absolute_uri(reverse("oauth_auth")) state = secrets.token_urlsafe(32) q.session["yasoi_state"] = state - # pkce_params = pkce1(q) + pkce_params = pkce1(q) return redirect( settings.YASOI["authorize_url"] + "?" @@ -55,7 +55,7 @@ def oauth_login(q): redirect_uri=redirect_uri, scope=settings.YASOI["scope"], state=state, - # **pkce_params, + **pkce_params, ) ) ) @@ -65,12 +65,12 @@ def oauth_login(q): def oauth_auth(q): redirect_uri = q.build_absolute_uri(reverse("oauth_auth")) given_state = q.GET["state"] - # expected_state = q.session["yasoi_state"] - # if expected_state != given_state: - # raise TypeError("state mismatch") + expected_state = q.session["yasoi_state"] + if expected_state != given_state: + raise TypeError("state mismatch") if "error" in q.GET: raise RuntimeError(f'{q.GET["error"]}: {q.GET.get("error_description")}') - # pkce_params = pkce2(q) + pkce_params = pkce2(q) code = q.GET["code"] q2 = requests.post( settings.YASOI["token_url"], @@ -79,7 +79,7 @@ def oauth_auth(q): code=code, redirect_uri=redirect_uri, **{key: settings.YASOI[key] for key in ("client_id", "client_secret")}, - # **pkce_params, + **pkce_params, ), ) if q2.status_code == 400: