csrf

2020-07-22 05:28:46 +02:00 · 2020-07-22 05:28:46 +02:00 · 2b0bd411a0
commit 2b0bd411a0
parent e066cf2c03
1 changed files with 17 additions and 6 deletions
--- a/oauth/views.py
+++ b/oauth/views.py
@ -25,17 +25,23 @@ def register(_):

 def register_callback(req: HttpRequest):
    code = req.GET['code']
+    csrftoken = req.COOKIES.get('csrftoken')
+    print(csrftoken)
    response = requests.post(settings.OAUTH["AUTHORIZE_URI"],
                             data={'code': code,
                                   'grant_type': 'authorization_code',
                                   'client_id': settings.OAUTH["CLIENT_ID"],
                                   'client_secret': settings.OAUTH["CLIENT_SECRET"],
-                                   'redirect_uri': settings.OAUTH["REDIRECT_URI"]})
+                                   'redirect_uri': settings.OAUTH["REDIRECT_URI"]},
+                             cookies=None,
+                             headers={'Referer': f'{settings.SERVER_URL}/login/zeus/register'})
    try:
        if response.status_code == 200:
            json: dict = response.json()
+            csrftoken = response.cookies['csrftoken']
+            print(response.cookies)
            # TODO: maybe later do something with the refresh token.
-            user: dict = user_info(json['access_token'])
+            user: dict = user_info(json['access_token'], csrftoken)
            if 'username' not in user.keys() or 'id' not in user.keys():
                raise OAuthException(f'username and id are expected values: {user}')
            else:
@ -44,11 +50,12 @@ def register_callback(req: HttpRequest):
                login(req, validated_user)
                redirect('/')
        else:
-            raise OAuthException(f'Status code not 200, response: {response.json()}')
+            print(response.request)
+            raise OAuthException(f'Status code not 200, response: {response}')
    except OAuthException as e:
        logger.error(e)

-    return register('')
+    return redirect('/')


 def validate_user(zeus_id, username) -> CustomUser:
@ -60,6 +67,10 @@ def validate_user(zeus_id, username) -> CustomUser:
    return user


-def user_info(access_token):
-    r = requests.get(settings.OAUTH["USER_API_URI"], headers={'Authorization': f'Bearer {access_token}'})
+def user_info(access_token, csrftoken):
+    r = requests.get(
+        settings.OAUTH["USER_API_URI"],
+        headers={'Authorization': f'Bearer {access_token}'},
+        cookies={'csrftoken': csrftoken}
+    )
    return r.json()