diff --git a/areas/auth/auth.py b/areas/auth/auth.py index 2bfd938..b7a05eb 100644 --- a/areas/auth/auth.py +++ b/areas/auth/auth.py @@ -1,11 +1,11 @@ -from flask import jsonify +from flask import jsonify, request from flask_jwt_extended import create_access_token from flask_cors import cross_origin from datetime import timedelta from areas import api_v1 from config import * -from helpers import HydraOauth +from helpers import HydraOauth, BadRequest @api_v1.route("/login", methods=["POST"]) @@ -18,7 +18,11 @@ def login(): @api_v1.route("/hydra/callback") @cross_origin() def hydra_callback(): - token = HydraOauth.get_token() + state = request.args.get("state") + if state == None: + raise BadRequest("Missing state query param") + + token = HydraOauth.get_token(state) access_token = create_access_token( identity=token, expires_delta=timedelta(days=365) ) diff --git a/helpers/hydra_oauth.py b/helpers/hydra_oauth.py index ea84695..96bd13d 100644 --- a/helpers/hydra_oauth.py +++ b/helpers/hydra_oauth.py @@ -24,11 +24,9 @@ class HydraOauth: raise HydraError(str(err), 500) @staticmethod - def get_token(): + def get_token(state): try: - hydra = OAuth2Session( - HYDRA_CLIENT_ID, state=session[HydraOauth.SESSION_KEY] - ) + hydra = OAuth2Session(HYDRA_CLIENT_ID, state=state) token = hydra.fetch_token( TOKEN_URL, client_secret=HYDRA_CLIENT_SECRET, diff --git a/run_app.sh b/run_app.sh index 302f141..b1c9342 100755 --- a/run_app.sh +++ b/run_app.sh @@ -23,7 +23,7 @@ export FLASK_ENV=development export SECRET_KEY="e38hq!@0n64g@qe6)5csk41t=ljo2vllog(%k7njnm4b@kh42c" export KRATOS_URL="http://127.0.0.1:8000" export HYDRA_CLIENT_ID="dashboard" -export HYDRA_CLIENT_SECRET="BrYRtKygtrcwGHviUSqybvFTgfnaZgPh" +export HYDRA_CLIENT_SECRET="gDSEuakxzybHBHJocnmtDOLMwlWWEvPh" export HYDRA_AUTHORIZATION_BASE_URL="https://sso.init.stackspin.net/oauth2/auth" export TOKEN_URL="https://sso.init.stackspin.net/oauth2/token" flask run