From 817c01faff8231e4c7a8e1535659cde5dd5e506d Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Tue, 2 Apr 2024 13:32:32 -0700 Subject: [PATCH] change state to something non-arbitrary --- app/main/views/sign_in.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 5ca935e56..e6e0f51d0 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -16,6 +16,7 @@ from flask import ( url_for, ) from flask_login import current_user +from notifications_utils.url_safe_token import generate_token from app import login_manager, user_api_client from app.main import main @@ -175,7 +176,14 @@ def sign_in(): other_device = current_user.logged_in_elsewhere() - initial_signin_url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") + token = generate_token( + str(request.remote_addr), + current_app.config["SECRET_KEY"], + current_app.config["DANGEROUS_SALT"], + ) + url = os.environ["LOGIN_DOT_GOV_INITIAL_SIGNIN_URL"] + url = url.replace("NONCE", token) + url = url.replace("STATE", token) return render_template( "views/signin.html", @@ -184,7 +192,7 @@ def sign_in(): other_device=other_device, login_gov_enabled=True, password_reset_url=password_reset_url, - initial_signin_url=initial_signin_url, + initial_signin_url=url, )