fixes: constant AUTH_URL & better csrf handeling
This commit is contained in:
parent
10dab44a27
commit
a43479276b
14
app/main.py
14
app/main.py
|
@ -22,7 +22,8 @@ secret_key = get_env_variable('APP_SECRET_KEY')
|
|||
# Set secret key to enable sessions
|
||||
app.secret_key = secret_key
|
||||
|
||||
csrf_protection_string = None
|
||||
# https://www.inoreader.com/oauth2/auth
|
||||
AUTH_URL = 'https://github.com/login/oauth/authorize'
|
||||
|
||||
@app.route('/')
|
||||
def home():
|
||||
|
@ -44,12 +45,11 @@ def home():
|
|||
last_synced=last_synced, next_sync=next_sync)
|
||||
|
||||
# Generate a CSRF protection string
|
||||
global csrf_protection_string
|
||||
csrf_protection_string = os.urandom(16).hex()
|
||||
session['csrf_protection_string'] = os.urandom(16).hex()
|
||||
|
||||
# Pass dynamic variables to the template
|
||||
return render_template('login.html', client_id=client_id, redirect_uri=redirect_uri,
|
||||
optional_scopes=optional_scopes, csrf_protection_string=csrf_protection_string)
|
||||
return render_template('login.html', auth_url=AUTH_URL, client_id=client_id, redirect_uri=redirect_uri,
|
||||
optional_scopes=optional_scopes, csrf_protection_string=session.get('csrf_protection_string'))
|
||||
|
||||
@app.route('/oauth-redirect')
|
||||
def oauth_redirect():
|
||||
|
@ -57,8 +57,8 @@ def oauth_redirect():
|
|||
csrf_token = request.args.get('state')
|
||||
|
||||
# Verify the CSRF protection string
|
||||
if csrf_token != csrf_protection_string:
|
||||
abort(400, 'Invalid CSRF token. Please try again.')
|
||||
if csrf_token != session.get('csrf_protection_string'):
|
||||
abort(403, 'Invalid CSRF token. Please try again.')
|
||||
|
||||
# Exchange authorization code for access and refresh tokens
|
||||
# response = requests.post(
|
||||
|
|
|
@ -15,8 +15,7 @@
|
|||
var encodedOptionalScopes = encodeURIComponent('{{ optional_scopes }}');
|
||||
|
||||
// Construct the URL using Jinja variables
|
||||
// var oauthUrl = `https://www.inoreader.com/oauth2/auth?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
|
||||
var oauthUrl = `https://github.com/login/oauth/authorize?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
|
||||
var oauthUrl = `{{ auth_url }}?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
|
||||
|
||||
// Redirect to the constructed URL
|
||||
window.location.href = oauthUrl;
|
||||
|
|
Loading…
Reference in New Issue
Block a user