From 8f9aec7631da977a2766e4c5d5f8819636390c3d Mon Sep 17 00:00:00 2001 From: Rene Luria Date: Mon, 29 Jun 2026 16:53:14 +0200 Subject: [PATCH] fix: IDC State/Nonce Not Validated --- myice/webapi.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/myice/webapi.py b/myice/webapi.py index ddaa4ad..3183dfd 100644 --- a/myice/webapi.py +++ b/myice/webapi.py @@ -135,8 +135,13 @@ async def login(request: Request): """Redirect to Infomaniak OIDC login""" import urllib.parse - state = "random_state_string" # In production, use a proper random state - nonce = "random_nonce_string" # In production, use a proper random nonce + import secrets + + state = secrets.token_urlsafe(32) + nonce = secrets.token_urlsafe(32) + # Store in a secure signed session cookie + request.state.oidc_state = state + request.state.oidc_nonce = nonce # Store state and nonce in session (simplified for this example) # In production, use proper session management @@ -155,8 +160,11 @@ async def login(request: Request): @app.get("/callback") -async def callback(code: str, state: str): +async def callback(request: Request, code: str, state: str): """Handle OIDC callback and exchange code for token""" + expected_state = request.state.oidc_state + if not expected_state or state != expected_state: + raise HTTPException(403, detail="Invalid state parameter") # Exchange authorization code for access token token_data = { "grant_type": "authorization_code",