diff --git a/myice/webapi.py b/myice/webapi.py index ddaa4ad..3183dfd 100644 --- a/myice/webapi.py +++ b/myice/webapi.py @@ -135,8 +135,13 @@ async def login(request: Request): """Redirect to Infomaniak OIDC login""" import urllib.parse - state = "random_state_string" # In production, use a proper random state - nonce = "random_nonce_string" # In production, use a proper random nonce + import secrets + + state = secrets.token_urlsafe(32) + nonce = secrets.token_urlsafe(32) + # Store in a secure signed session cookie + request.state.oidc_state = state + request.state.oidc_nonce = nonce # Store state and nonce in session (simplified for this example) # In production, use proper session management @@ -155,8 +160,11 @@ async def login(request: Request): @app.get("/callback") -async def callback(code: str, state: str): +async def callback(request: Request, code: str, state: str): """Handle OIDC callback and exchange code for token""" + expected_state = request.state.oidc_state + if not expected_state or state != expected_state: + raise HTTPException(403, detail="Invalid state parameter") # Exchange authorization code for access token token_data = { "grant_type": "authorization_code",