From f713ed3a353e69169eb2efaff5a7ea93dae77067 Mon Sep 17 00:00:00 2001 From: James Dougan Date: Mon, 28 Oct 2024 12:53:11 +0000 Subject: [PATCH 1/3] Add more open id scopes and ability to migrate providers --- jams/models/auth.py | 1 + jams/routes/auth.py | 32 +++++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/jams/models/auth.py b/jams/models/auth.py index 2f9ed62..abbbbec 100644 --- a/jams/models/auth.py +++ b/jams/models/auth.py @@ -51,6 +51,7 @@ class User(UserMixin, db.Model): roles = relationship('Role', secondary='user_roles', backref='users') fs_uniquifier = Column(String(255), unique=True, nullable=False, default=lambda: str(uuid.uuid4())) open_id_sub = Column(String(255), unique=True, nullable=True) # OpenID 'sub' claim + open_id_migration = Column(Boolean, nullable=False, default=False, server_default='false') user_induction = Column(Boolean(), nullable=False, default=False, server_default='false') avatar_url = Column(String(255), nullable=True) diff --git a/jams/routes/auth.py b/jams/routes/auth.py index 2fa559e..ce53292 100644 --- a/jams/routes/auth.py +++ b/jams/routes/auth.py @@ -56,19 +56,33 @@ def authorise(): token = client.authorize_access_token() user_info = token['userinfo'] - user_email = user_info['email'] + user_email = None + if 'email' not in user_info: + if 'emails' in user_info: + user_emails = user_info['emails'] + user_email = user_emails[0] + else: + user_email = user_info['email'] user_sub = user_info['sub'] user = User.query.filter_by(open_id_sub=user_sub).first() if not user: - random_password = ''.join(random.choices(string.ascii_letters + string.digits, k=16)) - user = User( - email=user_email, - username=user_email, - password=hash_password(random_password), - open_id_sub=user_sub) - db.session.add(user) - user.activate() + user = User.query.filter_by(email=user_email).first() + if not user: + random_password = ''.join(random.choices(string.ascii_letters + string.digits, k=16)) + user = User( + email=user_email, + username=user_email, + password=hash_password(random_password), + open_id_sub=user_sub) + db.session.add(user) + user.activate() + else: + if user.open_id_migration: + user.open_id_sub = user_sub + user.open_id_migration = False + else: + abort(403) db.session.commit() login_user(user) From 4cb36dcabb796320a97aa81efda4045260db90e2 Mon Sep 17 00:00:00 2001 From: James Dougan Date: Mon, 28 Oct 2024 13:48:58 +0000 Subject: [PATCH 2/3] test state printing --- jams/routes/auth.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/jams/routes/auth.py b/jams/routes/auth.py index ce53292..b6b5eb6 100644 --- a/jams/routes/auth.py +++ b/jams/routes/auth.py @@ -26,7 +26,12 @@ def login(): if next_url: session['next'] = next_url - return client.authorize_redirect(redirect_uri) + # Trigger the authorization redirect and capture the state + response = client.authorize_redirect(redirect_uri) + session['oauth_state'] = request.args.get('state') # Store the generated state in session + print("Initial state:", session['oauth_state']) # Print the initial state + + return response elif local_auth_enabled: form = CustomLoginForm() return render_template('/security/login_user.html', login_user_form=form, next=next_url) @@ -53,6 +58,17 @@ def register(): @bp.route('/authorise') def authorise(): client = oauth.create_client(get_config_value(ConfigType.OAUTH_PROVIDER_NAME)) + + # Retrieve and print both stored and received state + stored_state = session.get('oauth_state') + received_state = request.args.get('state') + print("Stored state:", stored_state) + print("Received state:", received_state) + + if stored_state != received_state: + print("State mismatch error!") + return "State mismatch error", 400 + token = client.authorize_access_token() user_info = token['userinfo'] From 1fd4167ad0c3e32997f6afdc914257031f3d0245 Mon Sep 17 00:00:00 2001 From: James Dougan Date: Mon, 28 Oct 2024 13:56:08 +0000 Subject: [PATCH 3/3] comment out return statement --- jams/routes/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jams/routes/auth.py b/jams/routes/auth.py index b6b5eb6..b5daa03 100644 --- a/jams/routes/auth.py +++ b/jams/routes/auth.py @@ -67,7 +67,7 @@ def authorise(): if stored_state != received_state: print("State mismatch error!") - return "State mismatch error", 400 + #return "State mismatch error", 400 token = client.authorize_access_token()