darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-05-06 00:48:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2108 from GSA/ADMIN-2098_Fix_Login_For_Email_Verify_And_Expire_Redis_Stuff

Browse Source 
Fixed email verify, put time limits on redis stuff.
This commit is contained in:
Steven Reilly
2024-11-13 12:59:26 -05:00
committed by GitHub
parent 01e52b9a20 cc5c4114e0
commit a95138f344
4 changed files with 35 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/main/views/index.py
View File

@@ -35,6 +35,8 @@ def index():
if current_user and current_user.is_authenticated:
return redirect(url_for("main.choose_account"))
ttl = 24 * 60 * 60
# make and store the state
state = generate_token(
str(request.remote_addr),
@@ -42,12 +44,12 @@ def index():
current_app.config["DANGEROUS_SALT"],
)
state_key = f"login-state-{unquote(state)}"
redis_client.set(state_key, state)
redis_client.set(state_key, state, ex=ttl)
# make and store the nonce
nonce = secrets.token_urlsafe()
nonce_key = f"login-nonce-{unquote(nonce)}"
redis_client.set(nonce_key, nonce)
redis_client.set(nonce_key, nonce, ex=ttl)
url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
if url is not None:

27
app/main/views/sign_in.py
View File

@@ -108,11 +108,18 @@ def _do_login_dot_gov(): # $ pragma: no cover
)
raise Exception(f"Could not login with login.gov {login_gov_error}")
elif code and state:
state_key = f"login-state-{unquote(state)}"
stored_state = unquote(redis_client.get(state_key).decode("utf8"))
if state != stored_state:
current_app.logger.error(f"State Error: {state} != {stored_state}")
abort(403)
try:
state_key = f"login-state-{unquote(state)}"
stored_state = unquote(redis_client.get(state_key).decode("utf8"))
if state != stored_state:
current_app.logger.error(f"State Error: {state} != {stored_state}")
abort(403)
except AttributeError: # There is no stored state
verify_key = f"login-verify_email-{unquote(state)}"
verify_path = bool(redis_client.get(verify_key))
if not verify_path:
current_app.logger.error("Not verify_email path, no state found.")
abort(403)
# activate the user
try:
@@ -135,6 +142,10 @@ def _do_login_dot_gov(): # $ pragma: no cover
user["email_access_validated_at"], 90
)
if not is_fresh_email:
# send email verify
ttl = 24 * 60 * 60
verify_key = f"login-verify_email-{unquote(state)}"
redis_client.set(verify_key, state, ex=ttl)
return verify_email(user, redirect_url)
usr = User.from_email_address(user["email_address"])
@@ -209,17 +220,19 @@ def sign_in(): # pragma: no cover
return redirect(redirect_url)
return redirect(url_for("main.show_accounts_or_dashboard"))
ttl = 24 * 60 * 60
state = generate_token(
str(request.remote_addr),
current_app.config["SECRET_KEY"],
current_app.config["DANGEROUS_SALT"],
)
state_key = f"login-state-{unquote(state)}"
redis_client.set(state_key, state)
redis_client.set(state_key, state, ex=ttl)
nonce = secrets.token_urlsafe()
nonce_key = f"login-nonce-{unquote(nonce)}"
redis_client.set(nonce_key, nonce)
redis_client.set(nonce_key, nonce, ex=ttl)
url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL")
# handle unit tests

16
app/notify_client/invite_api_client.py
View File

@@ -41,6 +41,8 @@ class InviteApiClient(NotifyAdminAPIClient):
}
data = _attach_current_user(data)
ttl = 24 * 60 * 60
# make and store the state
state = generate_token(
str(request.remote_addr),
@@ -48,12 +50,12 @@ class InviteApiClient(NotifyAdminAPIClient):
current_app.config["DANGEROUS_SALT"],
)
state_key = f"login-state-{unquote(state)}"
redis_client.set(state_key, state)
redis_client.set(state_key, state, ex=ttl)
# make and store the nonce
nonce = secrets.token_urlsafe()
nonce_key = f"login-nonce-{unquote(nonce)}"
redis_client.set(nonce_key, nonce) # save the nonce to redis.
redis_client.set(nonce_key, nonce, ex=ttl) # save the nonce to redis.
data["nonce"] = nonce # This is passed to api for the invite url.
data["state"] = state # This is passed to api for the invite url.
@@ -64,7 +66,7 @@ class InviteApiClient(NotifyAdminAPIClient):
invite_data_key = f"invitedata-{unquote(state)}"
redis_invite_data = resp["invite"]
redis_invite_data = json.dumps(redis_invite_data)
redis_client.set(invite_data_key, redis_invite_data)
redis_client.set(invite_data_key, redis_invite_data, ex=ttl)
return resp_data
@@ -97,6 +99,8 @@ class InviteApiClient(NotifyAdminAPIClient):
self.post(url=f"/service/{service_id}/invite/{invited_user_id}", data=data)
def resend_invite(self, service_id, invited_user_id):
ttl = 24 * 60 * 60
# make and store the state
state = generate_token(
str(request.remote_addr),
@@ -104,12 +108,12 @@ class InviteApiClient(NotifyAdminAPIClient):
current_app.config["DANGEROUS_SALT"],
)
state_key = f"login-state-{unquote(state)}"
redis_client.set(state_key, state)
redis_client.set(state_key, state, ex=ttl)
# make and store the nonce
nonce = secrets.token_urlsafe()
nonce_key = f"login-nonce-{unquote(nonce)}"
redis_client.set(nonce_key, nonce)
redis_client.set(nonce_key, nonce, ex=ttl)
data = {
"nonce": nonce,
@@ -122,7 +126,7 @@ class InviteApiClient(NotifyAdminAPIClient):
invite_data_key = f"invitedata-{unquote(state)}"
redis_invite_data = resp["invite"]
redis_invite_data = json.dumps(redis_invite_data)
redis_client.set(invite_data_key, redis_invite_data)
redis_client.set(invite_data_key, redis_invite_data, ex=ttl)
@cache.delete("service-{service_id}")
@cache.delete("user-{invited_user_id}")

2
app/notify_client/user_api_client.py
View File

@@ -116,7 +116,7 @@ class UserApiClient(NotifyAdminAPIClient):
data["next"] = next_string
if code_type == "email":
data["email_auth_link_host"] = self.admin_url
endpoint = "/user/{0}/{1}-code".format(user_id, code_type)
endpoint = f"/user/{user_id}/{code_type}-code"
current_app.logger.warn(hilite(f"Sending verify_code {code_type} to {user_id}"))
self.post(endpoint, data=data)