paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Django 1.10: Sign google oauth requests using csrf token.

Browse Source 
In Django 1.10, the get_token function returns a salted version of
csrf token which changes whenever get_token is called. This gives
us wrong result when we compare the state after returning from
Google authentication servers. The solution is to unsalt the token
and use that token to find the HMAC so that we get the same value
as long as t he token is same.
This commit is contained in:
Umair Khan
2016-11-07 15:16:40 +05:00
parent d837753d4b
commit 1e91b946d9
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
zerver/tests/test_auth_backends.py
View File

@@ -520,6 +520,7 @@ class GoogleOAuthTest(ZulipTestCase):
if 'google' not in result.url:
return result
self.client.cookies = result.cookies
# Now extract the CSRF token from the redirect URL
parsed_url = urllib.parse.urlparse(result.url)
csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']