From 15949603a21f7281256921c58afe6c92d2e2acfa Mon Sep 17 00:00:00 2001 From: mubarakalmehairbi Date: Sun, 30 Jul 2023 11:19:55 +0400 Subject: [PATCH] Some security measures --- toui/apps.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/toui/apps.py b/toui/apps.py index a8bca2f..8caaf59 100644 --- a/toui/apps.py +++ b/toui/apps.py @@ -758,9 +758,10 @@ def sign_in_using_google(self, client_id, client_secret, after_auth_url, additio if additional_scopes: for s in additional_scopes: scope += f" {s}" - url = f"/toui-google-sign-in?after_auth_url={after_auth_url}&scope={scope}" + url = f"/toui-google-sign-in?scope={scope}" for key, value in other_params.items(): url += f"&{key}={value}" + self.user_vars._set('google-after-auth-url', after_auth_url) self.open_new_page(url=url) @_ReqsChecker(['flask-basicauth']) @@ -978,6 +979,9 @@ def _sign_in_using_google(self): client_id = self._google_data['client_id'] client_secret = self._google_data['client_secret'] scope = request.args.get("scope") + for s in scope.split(" "): + if not s.startswith("https://www.googleapis.com/auth/"): + raise Exception("Invalid scope. Scope should start with `https://www.googleapis.com/auth/`.") redirect_uri = request.base_url response_type = "code" access_type = request.args.get("access_type") @@ -986,11 +990,7 @@ def _sign_in_using_google(self): enable_granular_consent = request.args.get("enable_granular_consent") login_hint = request.args.get("login_hint") prompt = request.args.get("prompt") - after_auth_url = request.args.get("after_auth_url") - if after_auth_url: - self.user_vars._set('google-after-auth-url', after_auth_url) - else: - after_auth_url = self.user_vars._get('google-after-auth-url') + after_auth_url = self.user_vars._get('google-after-auth-url') username = request.args.get("username") if "code" in request.args: code = request.args.get("code")