Django 1.10: Sign google oauth requests using csrf token.

In Django 1.10, the get_token function returns a salted version of csrf token which changes whenever get_token is called. This gives us wrong result when we compare the state after returning from Google authentication servers. The solution is to unsalt the token and use that token to find the HMAC so that we get the same value as long as t he token is same.
2025-11-04 14:03:30 +00:00 · 2016-11-07 15:16:40 +05:00
parent d837753d4b
commit 1e91b946d9
2 changed files with 10 additions and 1 deletions
--- a/zerver/tests/test_auth_backends.py
+++ b/zerver/tests/test_auth_backends.py
@@ -520,6 +520,7 @@ class GoogleOAuthTest(ZulipTestCase):
        if 'google' not in result.url:
            return result

+        self.client.cookies = result.cookies
        # Now extract the CSRF token from the redirect URL
        parsed_url = urllib.parse.urlparse(result.url)
        csrf_state = urllib.parse.parse_qs(parsed_url.query)['state']
--- a/zerver/views/auth.py
+++ b/zerver/views/auth.py
@@ -148,7 +148,15 @@ def remote_user_jwt(request):

 def google_oauth2_csrf(request, value):
    # type: (HttpRequest, str) -> HttpResponse
-    return hmac.new(get_token(request).encode('utf-8'), value.encode("utf-8"), hashlib.sha256).hexdigest()
+    # In Django 1.10, get_token returns a salted token which changes
+    # everytime get_token is called.
+    try:
+        from django.middleware.csrf import _unsalt_cipher_token
+        token = _unsalt_cipher_token(get_token(request))
+    except ImportError:
+        token = get_token(request)
+
+    return hmac.new(token.encode('utf-8'), value.encode("utf-8"), hashlib.sha256).hexdigest()

 def start_google_oauth2(request):
    # type: (HttpRequest) -> HttpResponse