Ok, now working 100% correctly with nonce.

Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
2026-05-05 16:38:59 -04:00 · 2024-09-26 09:18:02 -04:00
parent 7b2d495c1b
commit 81a629935c
2 changed files with 26 additions and 10 deletions
--- a/app/main/views/index.py
+++ b/app/main/views/index.py
@@ -1,6 +1,15 @@
 import os
+import secrets

-from flask import abort, current_app, redirect, render_template, request, url_for
+from flask import (
+    abort,
+    current_app,
+    redirect,
+    render_template,
+    request,
+    session,
+    url_for,
+)
 from flask_login import current_user

 from app import status_api_client
@@ -23,8 +32,12 @@ def index():
    )
    url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
    # handle unit tests
+
+    nonce = secrets.token_urlsafe()
+    session["nonce"] = nonce
+
    if url is not None:
-        url = url.replace("NONCE", token)
+        url = url.replace("NONCE", nonce)
        url = url.replace("STATE", token)
    return render_template(
        "views/signedout.html",
--- a/app/main/views/sign_in.py
+++ b/app/main/views/sign_in.py
@@ -1,5 +1,6 @@
 import json
 import os
+import secrets
 import time
 import uuid

@@ -13,6 +14,7 @@ from flask import (
    redirect,
    render_template,
    request,
+    session,
    url_for,
 )
 from flask_login import current_user
@@ -87,14 +89,11 @@ def _get_access_token(code, state):  # pragma: no cover
    )

    nonce = id_token["nonce"]
-    state = request.args.get("state")
-
-    if nonce != state:
-        current_app.logger.warning(f"{nonce} != {state}")
+    saved_nonce = session.pop("nonce")
+    if nonce != saved_nonce:
+        current_app.logger.error(f"Nonce Error: {nonce} != {saved_nonce}")
        abort(403)

-    # redis_client.delete(redis_key)
-
    try:
        access_token = response_json["access_token"]
    except KeyError as e:
@@ -225,11 +224,15 @@ def sign_in():  # pragma: no cover
        current_app.config["DANGEROUS_SALT"],
    )
    url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
-    state = request.args.get("state")
+
+    nonce = secrets.token_urlsafe()
+    session["nonce"] = nonce
+
    # handle unit tests
    if url is not None:
-        url = url.replace("NONCE", state)  # We are getting the state back as the nonce.
+        url = url.replace("NONCE", nonce)
        url = url.replace("STATE", token)
+
    return render_template(
        "views/signin.html",
        again=bool(redirect_url),