Commit a177f200 authored by Vincent Pelletier's avatar Vincent Pelletier Committed by Kazuhiko Shiozaki

erp5_oauth2_authorisation: Drop login retry URL double base64-encoding

Fernet tokens are urlsafe-base64-encoded, so re-encoding them is
useless.

This change breaks compabitility with what should be a transient login state
(lasting as long as the login form is opened in any browser). So the
consequence is that a user failing to authenticate will be redirected to a
safe location (ex: the website's home page) instead of getting to the login
form again.
This should not be worth either a systematic double-decrypting (which could
lead to harder to debug decryption errors) or some heuristic trying to
guess if the value is in fact double-encoded.
parent 432ba160
......@@ -25,7 +25,6 @@
#
##############################################################################
import base64
import contextlib
from functools import wraps
from io import BytesIO
......@@ -1025,7 +1024,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
"""
try:
login_retry_url = self.__getLoginRetryURLMultiFernet().decrypt(
base64.urlsafe_b64decode(REQUEST.form['login_retry_url']),
REQUEST.form['login_retry_url'],
)
except (fernet.InvalidToken, TypeError, KeyError):
# No login_retry_url provided or its value is unusable: if this is a GET
......@@ -1040,9 +1039,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
def getSignedLoginRetryUrl():
if login_retry_url is None:
return None
return base64.urlsafe_b64encode(
self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
)
return self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url)
return _ERP5AuthorisationEndpoint(
server_connector_path=self.getPath(),
zope_request=REQUEST,
......@@ -1075,9 +1072,7 @@ class OAuth2AuthorisationServerConnector(XMLObject):
method=method,
query_list=query_list + [(
'login_retry_url',
base64.urlsafe_b64encode(
self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
),
self.__getLoginRetryURLMultiFernet().encrypt(login_retry_url),
)],
) as inner_request:
# pylint: disable=unexpected-keyword-arg, no-value-for-parameter
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment