fix: IDC State/Nonce Not Validated
This commit is contained in:
+11
-3
@@ -135,8 +135,13 @@ async def login(request: Request):
|
||||
"""Redirect to Infomaniak OIDC login"""
|
||||
import urllib.parse
|
||||
|
||||
state = "random_state_string" # In production, use a proper random state
|
||||
nonce = "random_nonce_string" # In production, use a proper random nonce
|
||||
import secrets
|
||||
|
||||
state = secrets.token_urlsafe(32)
|
||||
nonce = secrets.token_urlsafe(32)
|
||||
# Store in a secure signed session cookie
|
||||
request.state.oidc_state = state
|
||||
request.state.oidc_nonce = nonce
|
||||
|
||||
# Store state and nonce in session (simplified for this example)
|
||||
# In production, use proper session management
|
||||
@@ -155,8 +160,11 @@ async def login(request: Request):
|
||||
|
||||
|
||||
@app.get("/callback")
|
||||
async def callback(code: str, state: str):
|
||||
async def callback(request: Request, code: str, state: str):
|
||||
"""Handle OIDC callback and exchange code for token"""
|
||||
expected_state = request.state.oidc_state
|
||||
if not expected_state or state != expected_state:
|
||||
raise HTTPException(403, detail="Invalid state parameter")
|
||||
# Exchange authorization code for access token
|
||||
token_data = {
|
||||
"grant_type": "authorization_code",
|
||||
|
||||
Reference in New Issue
Block a user