2 Commits

Author SHA1 Message Date
herel 8f9aec7631 fix: IDC State/Nonce Not Validated 2026-06-29 16:53:14 +02:00
herel bf7f7273e9 fix: add timeout for request 2026-06-29 16:52:35 +02:00
2 changed files with 12 additions and 3 deletions
+1
View File
@@ -624,6 +624,7 @@ def mobile_login(config_section: str | None = None):
"https://app.myice.hockey/api/mobilerest/login",
headers=mobile_headers,
data=f"login_email={base64.b64encode(username.encode()).decode()}&login_password={base64.b64encode(password.encode()).decode()}&language=FR&v=2",
timeout=(5, 30),
# verify=False,
) as r:
r.raise_for_status()
+11 -3
View File
@@ -135,8 +135,13 @@ async def login(request: Request):
"""Redirect to Infomaniak OIDC login"""
import urllib.parse
state = "random_state_string" # In production, use a proper random state
nonce = "random_nonce_string" # In production, use a proper random nonce
import secrets
state = secrets.token_urlsafe(32)
nonce = secrets.token_urlsafe(32)
# Store in a secure signed session cookie
request.state.oidc_state = state
request.state.oidc_nonce = nonce
# Store state and nonce in session (simplified for this example)
# In production, use proper session management
@@ -155,8 +160,11 @@ async def login(request: Request):
@app.get("/callback")
async def callback(code: str, state: str):
async def callback(request: Request, code: str, state: str):
"""Handle OIDC callback and exchange code for token"""
expected_state = request.state.oidc_state
if not expected_state or state != expected_state:
raise HTTPException(403, detail="Invalid state parameter")
# Exchange authorization code for access token
token_data = {
"grant_type": "authorization_code",