From 2b0bd411a069ee73ff36f3e8e57a2aac14a762e9 Mon Sep 17 00:00:00 2001
From: Francis <francisklinck@gmail.com>
Date: Wed, 22 Jul 2020 05:28:46 +0200
Subject: [PATCH] csrf

---
 oauth/views.py | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/oauth/views.py b/oauth/views.py
index ebe1fb7..05ee0c7 100644
--- a/oauth/views.py
+++ b/oauth/views.py
@@ -25,17 +25,23 @@ def register(_):
 
 def register_callback(req: HttpRequest):
     code = req.GET['code']
+    csrftoken = req.COOKIES.get('csrftoken')
+    print(csrftoken)
     response = requests.post(settings.OAUTH["AUTHORIZE_URI"],
                              data={'code': code,
                                    'grant_type': 'authorization_code',
                                    'client_id': settings.OAUTH["CLIENT_ID"],
                                    'client_secret': settings.OAUTH["CLIENT_SECRET"],
-                                   'redirect_uri': settings.OAUTH["REDIRECT_URI"]})
+                                   'redirect_uri': settings.OAUTH["REDIRECT_URI"]},
+                             cookies=None,
+                             headers={'Referer': f'{settings.SERVER_URL}/login/zeus/register'})
     try:
         if response.status_code == 200:
             json: dict = response.json()
+            csrftoken = response.cookies['csrftoken']
+            print(response.cookies)
             # TODO: maybe later do something with the refresh token.
-            user: dict = user_info(json['access_token'])
+            user: dict = user_info(json['access_token'], csrftoken)
             if 'username' not in user.keys() or 'id' not in user.keys():
                 raise OAuthException(f'username and id are expected values: {user}')
             else:
@@ -44,11 +50,12 @@ def register_callback(req: HttpRequest):
                 login(req, validated_user)
                 redirect('/')
         else:
-            raise OAuthException(f'Status code not 200, response: {response.json()}')
+            print(response.request)
+            raise OAuthException(f'Status code not 200, response: {response}')
     except OAuthException as e:
         logger.error(e)
 
-    return register('')
+    return redirect('/')
 
 
 def validate_user(zeus_id, username) -> CustomUser:
@@ -60,6 +67,10 @@ def validate_user(zeus_id, username) -> CustomUser:
     return user
 
 
-def user_info(access_token):
-    r = requests.get(settings.OAUTH["USER_API_URI"], headers={'Authorization': f'Bearer {access_token}'})
+def user_info(access_token, csrftoken):
+    r = requests.get(
+        settings.OAUTH["USER_API_URI"],
+        headers={'Authorization': f'Bearer {access_token}'},
+        cookies={'csrftoken': csrftoken}
+    )
     return r.json()