Nonce is working now for invites.

Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
This commit is contained in:
Cliff Hill
2024-10-15 16:52:29 -04:00
parent da6882774b
commit 8c40538334
4 changed files with 12 additions and 15 deletions

View File

@@ -18,6 +18,7 @@ from notifications_utils.url_safe_token import generate_token
def index():
if current_user and current_user.is_authenticated:
return redirect(url_for("main.choose_account"))
token = generate_token(
str(request.remote_addr),
current_app.config["SECRET_KEY"],
@@ -26,9 +27,11 @@ def index():
url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
# handle unit tests
current_app.logger.warning(f"############### {str(request.remote_addr)}")
nonce = secrets.token_urlsafe()
redis_key = f"login-nonce-{unquote(token)}"
redis_key = f"login-nonce-{unquote(nonce)}"
redis_client.set(redis_key, nonce)
if url is not None:

View File

@@ -1,5 +1,6 @@
import base64
import json
from urllib.parse import unquote
import uuid
from datetime import datetime, timedelta
@@ -167,14 +168,6 @@ def set_up_your_profile():
if redis_client.get(f"invitedata-{state}") is None:
access_token = sign_in._get_access_token(code, state)
request_json = request.json()
id_token = get_id_token(request_json)
nonce = id_token["nonce"]
stored_nonce = redis_client.get(f"login-nonce-{state}").decode("utf8")
if nonce != stored_nonce:
current_app.logger.error(f"Nonce Error: {nonce} != {stored_nonce}")
abort(403)
debug_msg("Got the access token for login.gov")
user_email, user_uuid = sign_in._get_user_email_and_uuid(access_token)
debug_msg(

View File

@@ -66,12 +66,9 @@ def _get_access_token(code, state): # pragma: no cover
response_json = response.json()
id_token = get_id_token(response_json)
nonce = id_token["nonce"]
redis_key = f"login-nonce-{state}"
redis_key = f"login-nonce-{unquote(nonce)}"
stored_nonce = redis_client.get(redis_key).decode("utf8")
# 'login-nonce-IjEyNy4wLjAuMSI%2EZw51tw%2EWIkNwqJKjDsd_mAGc2Jgh39KnS4'
# 'login-nonce-IjEyNy4wLjAuMSI.Zw51tw.WIkNwqJKjDsd_mAGc2Jgh39KnS4'
if nonce != stored_nonce:
current_app.logger.error(f"Nonce Error: {nonce} != {stored_nonce}")
abort(403)
@@ -214,7 +211,8 @@ def sign_in(): # pragma: no cover
url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
nonce = secrets.token_urlsafe()
redis_key = f"login-nonce-{unquote(token)}"
redis_key = f"-{unquote(nonce)}"
current_app.logger.info(f"<<<<<<<<<<<<<<<<<<<<<<<< redis key: {redis_key}")
redis_client.set(redis_key, nonce)
# handle unit tests

View File

@@ -1,6 +1,9 @@
import base64
import json
import secrets
from urllib.parse import unquote
from flask import current_app, request
from app import redis_client
from app.notify_client import NotifyAdminAPIClient, _attach_current_user, cache
@@ -46,7 +49,7 @@ class InviteApiClient(NotifyAdminAPIClient):
# make and store the nonce
nonce = secrets.token_urlsafe()
redis_key = f"login-nonce-{state}"
redis_key = f"login-nonce-{unquote(nonce)}"
redis_client.set(f"{redis_key}", nonce) # save the nonce to redis.
data["nonce"] = nonce # This is passed to api for the invite url.