3D-printing/Cura
1
0
Fork 0
mirror of https://github.com/Ultimaker/Cura.git synced 2025-07-15 18:57:52 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Use state in AuthorizationService

Browse source 
It's a paranoid safety precaution, but beter safe than sorry.
Reported by WhiteHats; F-1.1.1
This commit is contained in:
Jaime van Kessel 2020-01-31 16:11:59 +01:00
parent ca25ec3dbc
commit 1269de744f
No known key found for this signature in database
GPG key ID: 3710727397403C91
4 changed files with 20 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
cura/OAuth2/AuthorizationService.py
View file

@ -153,13 +153,15 @@ class AuthorizationService:
verification_code = self._auth_helpers.generateVerificationCode()
challenge_code = self._auth_helpers.generateVerificationCodeChallenge(verification_code)
state = AuthorizationHelpers.generateVerificationCode()
# Create the query string needed for the OAuth2 flow.
query_string = urlencode({
"client_id": self._settings.CLIENT_ID,
"redirect_uri": self._settings.CALLBACK_URL,
"scope": self._settings.CLIENT_SCOPES,
"response_type": "code",
"state": "(.Y.)",
"state": state, # Forever in our Hearts, RIP "(.Y.)" (2018-2020)
"code_challenge": challenge_code,
"code_challenge_method": "S512"
})
@ -168,7 +170,7 @@ class AuthorizationService:
QDesktopServices.openUrl(QUrl("{}?{}".format(self._auth_url, query_string)))
# Start a local web server to receive the callback URL on.
self._server.start(verification_code)
self._server.start(verification_code, state)
## Callback method for the authentication flow.
def _onAuthStateChanged(self, auth_response: AuthenticationResponse) -> None: