make state non-arbitrary

2025-12-12 08:12:27 -05:00 · 2024-04-02 13:18:21 -07:00
parent 9ecbfd24ff
commit 23e66db2a9
3 changed files with 34 additions and 3 deletions
--- a/app/dao/users_dao.py
+++ b/app/dao/users_dao.py
@@ -2,6 +2,8 @@ import uuid
 from datetime import datetime, timedelta
 from secrets import randbelow

+import sqlalchemy
+from flask import current_app
 from sqlalchemy import func
 from sqlalchemy.orm import joinedload

@@ -39,7 +41,17 @@ def get_login_gov_user(login_uuid, email_address):
    user = User.query.filter_by(login_uuid=login_uuid).first()
    if user:
        if user.email_address != email_address:
-            save_user_attribute(user, {"email_address": email_address})
+            try:
+                save_user_attribute(user, {"email_address": email_address})
+            except sqlalchemy.exc.IntegrityError as ie:
+                # We are trying to change the email address as a courtesy,
+                # based on the assumption that the user has somehow changed their
+                # address in login.gov.
+                # But if we cannot change the email address, at least we don't
+                # want to fail here, otherwise the user will be locked out.
+                current_app.logger.error(ie)
+                db.session.rollback()
+
        return user
    # Remove this 1 July 2025, all users should have login.gov uuids by now
    user = User.query.filter_by(email_address=email_address).first()
--- a/app/organization/invite_rest.py
+++ b/app/organization/invite_rest.py
@@ -52,6 +52,15 @@ def invite_user_to_org(organization_id):
        current_app.config["ORGANIZATION_INVITATION_EMAIL_TEMPLATE_ID"]
    )

+    token = generate_token(
+        str(invited_org_user.email_address),
+        current_app.config["SECRET_KEY"],
+        current_app.config["DANGEROUS_SALT"],
+    )
+    url = os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"]
+    url = url.replace("NONCE", token)
+    url = url.replace("STATE", token)
+
    personalisation = {
        "user_name": (
            "The Notify.gov team"
@@ -59,7 +68,7 @@ def invite_user_to_org(organization_id):
            else invited_org_user.invited_by.name
        ),
        "organization_name": invited_org_user.organization.name,
-        "url": os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"],
+        "url": url,
    }
    saved_notification = persist_notification(
        template_id=template.id,
--- a/app/service_invite/rest.py
+++ b/app/service_invite/rest.py
@@ -37,10 +37,20 @@ def _create_service_invite(invited_user, invite_link_host):
    template = dao_get_template_by_id(template_id)

    service = Service.query.get(current_app.config["NOTIFY_SERVICE_ID"])
+
+    token = generate_token(
+        str(invited_user.email_address),
+        current_app.config["SECRET_KEY"],
+        current_app.config["DANGEROUS_SALT"],
+    )
+    url = os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"]
+    url = url.replace("NONCE", token)
+    url = url.replace("STATE", token)
+
    personalisation = {
        "user_name": invited_user.from_user.name,
        "service_name": invited_user.service.name,
-        "url": os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"],
+        "url": url,
    }

    saved_notification = persist_notification(