fixes: constant AUTH_URL & better csrf handeling

This commit is contained in:
Swapnil 2024-02-07 12:43:26 +05:30
parent 10dab44a27
commit a43479276b
Signed by: swapnil
GPG Key ID: 58029C48BB100574
2 changed files with 8 additions and 9 deletions

View File

@ -22,7 +22,8 @@ secret_key = get_env_variable('APP_SECRET_KEY')
# Set secret key to enable sessions # Set secret key to enable sessions
app.secret_key = secret_key app.secret_key = secret_key
csrf_protection_string = None # https://www.inoreader.com/oauth2/auth
AUTH_URL = 'https://github.com/login/oauth/authorize'
@app.route('/') @app.route('/')
def home(): def home():
@ -44,12 +45,11 @@ def home():
last_synced=last_synced, next_sync=next_sync) last_synced=last_synced, next_sync=next_sync)
# Generate a CSRF protection string # Generate a CSRF protection string
global csrf_protection_string session['csrf_protection_string'] = os.urandom(16).hex()
csrf_protection_string = os.urandom(16).hex()
# Pass dynamic variables to the template # Pass dynamic variables to the template
return render_template('login.html', client_id=client_id, redirect_uri=redirect_uri, return render_template('login.html', auth_url=AUTH_URL, client_id=client_id, redirect_uri=redirect_uri,
optional_scopes=optional_scopes, csrf_protection_string=csrf_protection_string) optional_scopes=optional_scopes, csrf_protection_string=session.get('csrf_protection_string'))
@app.route('/oauth-redirect') @app.route('/oauth-redirect')
def oauth_redirect(): def oauth_redirect():
@ -57,8 +57,8 @@ def oauth_redirect():
csrf_token = request.args.get('state') csrf_token = request.args.get('state')
# Verify the CSRF protection string # Verify the CSRF protection string
if csrf_token != csrf_protection_string: if csrf_token != session.get('csrf_protection_string'):
abort(400, 'Invalid CSRF token. Please try again.') abort(403, 'Invalid CSRF token. Please try again.')
# Exchange authorization code for access and refresh tokens # Exchange authorization code for access and refresh tokens
# response = requests.post( # response = requests.post(

View File

@ -15,8 +15,7 @@
var encodedOptionalScopes = encodeURIComponent('{{ optional_scopes }}'); var encodedOptionalScopes = encodeURIComponent('{{ optional_scopes }}');
// Construct the URL using Jinja variables // Construct the URL using Jinja variables
// var oauthUrl = `https://www.inoreader.com/oauth2/auth?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`; var oauthUrl = `{{ auth_url }}?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
var oauthUrl = `https://github.com/login/oauth/authorize?client_id={{ client_id }}&redirect_uri=${encodedRedirectUri}&response_type=code&scope=${encodedOptionalScopes}&state={{ csrf_protection_string }}`;
// Redirect to the constructed URL // Redirect to the constructed URL
window.location.href = oauthUrl; window.location.href = oauthUrl;