Commit 915b20c4 authored by Vincent Pelletier's avatar Vincent Pelletier

erp5_oauth2_authorisation: Drop login retry URL double base64-encoding

Fernet tokens are urlsafe-base64-encoded, so re-encoding them is
useless.

This change breaks compabitility with what should be a transient login state
(lasting as long as the login form is opened in any browser). So the
consequence is that a user failing to authenticate will be redirected to a
safe location (ex: the website's home page) instead of getting to the login
form again.
This should not be worth either a systematic double-decrypting (which could
lead to harder to debug decryption errors) or some heuristic trying to
guess if the value is in fact double-encoded.
parent 8041c090
...@@ -25,7 +25,6 @@ ...@@ -25,7 +25,6 @@
# #
############################################################################## ##############################################################################
import base64
import contextlib import contextlib
from functools import wraps from functools import wraps
from io import BytesIO from io import BytesIO
...@@ -1025,7 +1024,7 @@ class OAuth2AuthorisationServerConnector(XMLObject): ...@@ -1025,7 +1024,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
""" """
try: try:
login_retry_url = self.__getLoginRetryURLMultiFernet().decrypt( login_retry_url = self.__getLoginRetryURLMultiFernet().decrypt(
base64.urlsafe_b64decode(REQUEST.form['login_retry_url']), REQUEST.form['login_retry_url'],
) )
except (fernet.InvalidToken, TypeError, KeyError): except (fernet.InvalidToken, TypeError, KeyError):
# No login_retry_url provided or its value is unusable: if this is a GET # No login_retry_url provided or its value is unusable: if this is a GET
...@@ -1040,9 +1039,7 @@ class OAuth2AuthorisationServerConnector(XMLObject): ...@@ -1040,9 +1039,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
def getSignedLoginRetryUrl(): def getSignedLoginRetryUrl():
if login_retry_url is None: if login_retry_url is None:
return None return None
return base64.urlsafe_b64encode( return self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url)
self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
)
return _ERP5AuthorisationEndpoint( return _ERP5AuthorisationEndpoint(
server_connector_path=self.getPath(), server_connector_path=self.getPath(),
zope_request=REQUEST, zope_request=REQUEST,
...@@ -1075,9 +1072,7 @@ class OAuth2AuthorisationServerConnector(XMLObject): ...@@ -1075,9 +1072,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
method=method, method=method,
query_list=query_list + [( query_list=query_list + [(
'login_retry_url', 'login_retry_url',
base64.urlsafe_b64encode( self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
),
)], )],
) as inner_request: ) as inner_request:
# pylint: disable=unexpected-keyword-arg, no-value-for-parameter # pylint: disable=unexpected-keyword-arg, no-value-for-parameter
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment