fix: IDC State/Nonce Not Validated

This commit is contained in:
2026-06-29 16:53:14 +02:00
parent bf7f7273e9
commit 8f9aec7631
+11 -3
View File
@@ -135,8 +135,13 @@ async def login(request: Request):
"""Redirect to Infomaniak OIDC login"""
import urllib.parse
state = "random_state_string" # In production, use a proper random state
nonce = "random_nonce_string" # In production, use a proper random nonce
import secrets
state = secrets.token_urlsafe(32)
nonce = secrets.token_urlsafe(32)
# Store in a secure signed session cookie
request.state.oidc_state = state
request.state.oidc_nonce = nonce
# Store state and nonce in session (simplified for this example)
# In production, use proper session management
@@ -155,8 +160,11 @@ async def login(request: Request):
@app.get("/callback")
async def callback(code: str, state: str):
async def callback(request: Request, code: str, state: str):
"""Handle OIDC callback and exchange code for token"""
expected_state = request.state.oidc_state
if not expected_state or state != expected_state:
raise HTTPException(403, detail="Invalid state parameter")
# Exchange authorization code for access token
token_data = {
"grant_type": "authorization_code",