fixes: constant AUTH_URL & better csrf handeling
This commit is contained in:
parent
10dab44a27
commit
a43479276b
14
app/main.py
14
app/main.py
|
@ -22,7 +22,8 @@ secret_key = get_env_variable('APP_SECRET_KEY')
|
||||||
# Set secret key to enable sessions
|
# Set secret key to enable sessions
|
||||||
app.secret_key = secret_key
|
app.secret_key = secret_key
|
||||||
|
|
||||||
csrf_protection_string = None
|
# https://www.inoreader.com/oauth2/auth
|
||||||
|
AUTH_URL = 'https://github.com/login/oauth/authorize'
|
||||||
|
|
||||||
@app.route('/')
|
@app.route('/')
|
||||||
def home():
|
def home():
|
||||||
|
@ -44,12 +45,11 @@ def home():
|
||||||
last_synced=last_synced, next_sync=next_sync)
|
last_synced=last_synced, next_sync=next_sync)
|
||||||
|
|
||||||
# Generate a CSRF protection string
|
# Generate a CSRF protection string
|
||||||
global csrf_protection_string
|
session['csrf_protection_string'] = os.urandom(16).hex()
|
||||||
csrf_protection_string = os.urandom(16).hex()
|
|
||||||
|
|
||||||
# Pass dynamic variables to the template
|
# Pass dynamic variables to the template
|
||||||
return render_template('login.html', client_id=client_id, redirect_uri=redirect_uri,
|
return render_template('login.html', auth_url=AUTH_URL, client_id=client_id, redirect_uri=redirect_uri,
|
||||||
optional_scopes=optional_scopes, csrf_protection_string=csrf_protection_string)
|
optional_scopes=optional_scopes, csrf_protection_string=session.get('csrf_protection_string'))
|
||||||
|
|
||||||
@app.route('/oauth-redirect')
|
@app.route('/oauth-redirect')
|
||||||
def oauth_redirect():
|
def oauth_redirect():
|
||||||
|
@ -57,8 +57,8 @@ def oauth_redirect():
|
||||||
csrf_token = request.args.get('state')
|
csrf_token = request.args.get('state')
|
||||||
|
|
||||||
# Verify the CSRF protection string
|
# Verify the CSRF protection string
|
||||||
if csrf_token != csrf_protection_string:
|
if csrf_token != session.get('csrf_protection_string'):
|
||||||
abort(400, 'Invalid CSRF token. Please try again.')
|
abort(403, 'Invalid CSRF token. Please try again.')
|
||||||
|
|
||||||
# Exchange authorization code for access and refresh tokens
|
# Exchange authorization code for access and refresh tokens
|
||||||
# response = requests.post(
|
# response = requests.post(
|
||||||
|
|
|
@ -15,8 +15,7 @@
|
||||||
var encodedOptionalScopes = encodeURIComponent('{{ optional_scopes }}');
|
var encodedOptionalScopes = encodeURIComponent('{{ optional_scopes }}');
|
||||||
|
|
||||||
// Construct the URL using Jinja variables
|
// Construct the URL using Jinja variables
|
||||||
// var oauthUrl = `https://www.inoreader.com/oauth2/auth?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
|
var oauthUrl = `{{ auth_url }}?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
|
||||||
var oauthUrl = `https://github.com/login/oauth/authorize?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
|
|
||||||
|
|
||||||
// Redirect to the constructed URL
|
// Redirect to the constructed URL
|
||||||
window.location.href = oauthUrl;
|
window.location.href = oauthUrl;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user