From 8c405383344da8263147e525d2a721cfdc73f473 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Tue, 15 Oct 2024 16:52:29 -0400 Subject: [PATCH] Nonce is working now for invites. Signed-off-by: Cliff Hill --- app/main/views/index.py | 5 ++++- app/main/views/register.py | 9 +-------- app/main/views/sign_in.py | 8 +++----- app/notify_client/invite_api_client.py | 5 ++++- 4 files changed, 12 insertions(+), 15 deletions(-) diff --git a/app/main/views/index.py b/app/main/views/index.py index e7226ad7d..4b0b57783 100644 --- a/app/main/views/index.py +++ b/app/main/views/index.py @@ -18,6 +18,7 @@ from notifications_utils.url_safe_token import generate_token def index(): if current_user and current_user.is_authenticated: return redirect(url_for("main.choose_account")) + token = generate_token( str(request.remote_addr), current_app.config["SECRET_KEY"], @@ -26,9 +27,11 @@ def index(): url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") # handle unit tests + current_app.logger.warning(f"############### {str(request.remote_addr)}") + nonce = secrets.token_urlsafe() - redis_key = f"login-nonce-{unquote(token)}" + redis_key = f"login-nonce-{unquote(nonce)}" redis_client.set(redis_key, nonce) if url is not None: diff --git a/app/main/views/register.py b/app/main/views/register.py index 475fa4578..3222944fd 100644 --- a/app/main/views/register.py +++ b/app/main/views/register.py @@ -1,5 +1,6 @@ import base64 import json +from urllib.parse import unquote import uuid from datetime import datetime, timedelta @@ -167,14 +168,6 @@ def set_up_your_profile(): if redis_client.get(f"invitedata-{state}") is None: access_token = sign_in._get_access_token(code, state) - request_json = request.json() - id_token = get_id_token(request_json) - nonce = id_token["nonce"] - stored_nonce = redis_client.get(f"login-nonce-{state}").decode("utf8") - if nonce != stored_nonce: - current_app.logger.error(f"Nonce Error: {nonce} != {stored_nonce}") - abort(403) - debug_msg("Got the access token for login.gov") user_email, user_uuid = sign_in._get_user_email_and_uuid(access_token) debug_msg( diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 8cbc16aff..dc08a93cc 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -66,12 +66,9 @@ def _get_access_token(code, state): # pragma: no cover response_json = response.json() id_token = get_id_token(response_json) nonce = id_token["nonce"] - redis_key = f"login-nonce-{state}" + redis_key = f"login-nonce-{unquote(nonce)}" stored_nonce = redis_client.get(redis_key).decode("utf8") - # 'login-nonce-IjEyNy4wLjAuMSI%2EZw51tw%2EWIkNwqJKjDsd_mAGc2Jgh39KnS4' - # 'login-nonce-IjEyNy4wLjAuMSI.Zw51tw.WIkNwqJKjDsd_mAGc2Jgh39KnS4' - if nonce != stored_nonce: current_app.logger.error(f"Nonce Error: {nonce} != {stored_nonce}") abort(403) @@ -214,7 +211,8 @@ def sign_in(): # pragma: no cover url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") nonce = secrets.token_urlsafe() - redis_key = f"login-nonce-{unquote(token)}" + redis_key = f"-{unquote(nonce)}" + current_app.logger.info(f"<<<<<<<<<<<<<<<<<<<<<<<< redis key: {redis_key}") redis_client.set(redis_key, nonce) # handle unit tests diff --git a/app/notify_client/invite_api_client.py b/app/notify_client/invite_api_client.py index 328a87e58..8e063f777 100644 --- a/app/notify_client/invite_api_client.py +++ b/app/notify_client/invite_api_client.py @@ -1,6 +1,9 @@ import base64 import json import secrets +from urllib.parse import unquote + +from flask import current_app, request from app import redis_client from app.notify_client import NotifyAdminAPIClient, _attach_current_user, cache @@ -46,7 +49,7 @@ class InviteApiClient(NotifyAdminAPIClient): # make and store the nonce nonce = secrets.token_urlsafe() - redis_key = f"login-nonce-{state}" + redis_key = f"login-nonce-{unquote(nonce)}" redis_client.set(f"{redis_key}", nonce) # save the nonce to redis. data["nonce"] = nonce # This is passed to api for the invite url.