erp5_oauth2_authorisation: Drop login retry URL double base64-encoding

Fernet tokens are urlsafe-base64-encoded, so re-encoding them is useless. This change breaks compabitility with what should be a transient login state (lasting as long as the login form is opened in any browser). So the consequence is that a user failing to authenticate will be redirected to a safe location (ex: the website's home page) instead of getting to the login form again. This should not be worth either a systematic double-decrypting (which could lead to harder to debug decryption errors) or some heuristic trying to guess if the value is in fact double-encoded.

erp5_oauth2_authorisation: Drop login retry URL double base64-encoding
Fernet tokens are urlsafe-base64-encoded, so re-encoding them is useless. This change breaks compabitility with what should be a transient login state (lasting as long as the login form is opened in any browser). So the consequence is that a user failing to authenticate will be redirected to a safe location (ex: the website's home page) instead of getting to the login form again. This should not be worth either a systematic double-decrypting (which could lead to harder to debug decryption errors) or some heuristic trying to guess if the value is in fact double-encoded.
915b20c4 · Vincent Pelletier · 8041c090 · 915b20c4
Commit 915b20c4 authored Jun 13, 2023 by Vincent Pelletier
Showing with 3 additions and 8 deletions

bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py ...nents/document.erp5.OAuth2AuthorisationServerConnector.py +3 -8

No files found.
--- a/bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py
+++ b/bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py
@@ -25,7 +25,6 @@
 #
 ##############################################################################
-import base64
 import contextlib
 from functools import wraps
 from io import BytesIO
@@ -1025,7 +1024,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
    """
    try:
      login_retry_url = self.__getLoginRetryURLMultiFernet().decrypt(
-        base64.urlsafe_b64decode(REQUEST.form['login_retry_url']),
+        REQUEST.form['login_retry_url'],
      )
    except (fernet.InvalidToken, TypeError, KeyError):
      # No login_retry_url provided or its value is unusable: if this is a GET
@@ -1040,9 +1039,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
    def getSignedLoginRetryUrl():
      if login_retry_url is None:
        return None
-      return base64.urlsafe_b64encode(
+      return self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url)
-        self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
-      )
    return _ERP5AuthorisationEndpoint(
      server_connector_path=self.getPath(),
      zope_request=REQUEST,
@@ -1075,9 +1072,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
      method=method,
      query_list=query_list + [(
        'login_retry_url',
-        base64.urlsafe_b64encode(
+        self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
-          self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
-        ),
      )],
    ) as inner_request:
      # pylint: disable=unexpected-keyword-arg, no-value-for-parameter