From 4c891de47c52bd46933880891c63a7922260b2f8 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Fri, 11 Oct 2024 13:46:53 -0400 Subject: [PATCH 1/2] Nonce stuff added. Signed-off-by: Cliff Hill --- app/service_invite/rest.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/app/service_invite/rest.py b/app/service_invite/rest.py index 5728b3ed5..e7d0d4b20 100644 --- a/app/service_invite/rest.py +++ b/app/service_invite/rest.py @@ -32,7 +32,7 @@ service_invite = Blueprint("service_invite", __name__) register_errors(service_invite) -def _create_service_invite(invited_user, invite_link_host): +def _create_service_invite(invited_user, nonce): template_id = current_app.config["INVITATION_EMAIL_TEMPLATE_ID"] @@ -40,12 +40,6 @@ def _create_service_invite(invited_user, invite_link_host): service = Service.query.get(current_app.config["NOTIFY_SERVICE_ID"]) - token = generate_token( - str(invited_user.email_address), - current_app.config["SECRET_KEY"], - current_app.config["DANGEROUS_SALT"], - ) - # The raw permissions are in the form "a,b,c,d" # but need to be in the form ["a", "b", "c", "d"] data = {} @@ -59,7 +53,8 @@ def _create_service_invite(invited_user, invite_link_host): data["invited_user_email"] = invited_user.email_address url = os.environ["LOGIN_DOT_GOV_REGISTRATION_URL"] - url = url.replace("NONCE", token) + + url = url.replace("NONCE", nonce) # handed from data sent from admin. user_data_url_safe = get_user_data_url_safe(data) @@ -94,10 +89,16 @@ def _create_service_invite(invited_user, invite_link_host): @service_invite.route("/service//invite", methods=["POST"]) def create_invited_user(service_id): request_json = request.get_json() + try: + nonce = request_json.pop("nonce") + except KeyError: + current_app.logger.exception("nonce not found in submitted data.") + raise + invited_user = invited_user_schema.load(request_json) save_invited_user(invited_user) - _create_service_invite(invited_user, request_json.get("invite_link_host")) + _create_service_invite(invited_user, nonce) return jsonify(data=invited_user_schema.dump(invited_user)), 201 From 0b648c98ddf833df722ba32cfd5e3749694ca7c8 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Mon, 21 Oct 2024 16:37:31 -0400 Subject: [PATCH 2/2] Fixed tests Signed-off-by: Cliff Hill --- tests/app/service_invite/test_service_invite_rest.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/app/service_invite/test_service_invite_rest.py b/tests/app/service_invite/test_service_invite_rest.py index 07d0b4c23..5cea786f5 100644 --- a/tests/app/service_invite/test_service_invite_rest.py +++ b/tests/app/service_invite/test_service_invite_rest.py @@ -45,6 +45,7 @@ def test_create_invited_user( permissions="send_messages,manage_service,manage_api_keys", auth_type=AuthType.EMAIL, folder_permissions=["folder_1", "folder_2", "folder_3"], + nonce="FakeNonce", **extra_args, ) @@ -108,6 +109,7 @@ def test_create_invited_user_without_auth_type( "from_user": str(invite_from.id), "permissions": "send_messages,manage_service,manage_api_keys", "folder_permissions": [], + "nonce": "FakeNonce", } json_resp = admin_request.post( @@ -131,6 +133,7 @@ def test_create_invited_user_invalid_email(client, sample_service, mocker, fake_ "from_user": str(invite_from.id), "permissions": "send_messages,manage_service,manage_api_keys", "folder_permissions": [fake_uuid, fake_uuid], + "nonce": "FakeNonce", } data = json.dumps(data)