Commit c79e5e64 authored by Jérome Perrin's avatar Jérome Perrin

oauth_google_login: reuse setAuthCookie

setAuthCookie sets authentication cookies with all the necessary
attributes that makes sense for security.

It's also how auto-logout for inactivity is implemented.
parent b2123e0e
import time import time
request = container.REQUEST
response = request.RESPONSE
def handleError(error): def handleError(error):
context.Base_redirect( context.Base_redirect(
'login_form', 'login_form',
...@@ -19,7 +22,7 @@ elif code is not None: ...@@ -19,7 +22,7 @@ elif code is not None:
if response_dict is not None: if response_dict is not None:
access_token = response_dict['access_token'].encode('utf-8') access_token = response_dict['access_token'].encode('utf-8')
hash_str = context.Base_getHMAC(access_token, access_token) hash_str = context.Base_getHMAC(access_token, access_token)
context.REQUEST.RESPONSE.setCookie('__ac_google_hash', hash_str, path='/') context.setAuthCookie(response, '__ac_google_hash', hash_str)
# store timestamp in second since the epoch in UTC is enough # store timestamp in second since the epoch in UTC is enough
response_dict["response_timestamp"] = time.time() response_dict["response_timestamp"] = time.time()
context.Base_setBearerToken(hash_str, context.Base_setBearerToken(hash_str,
...@@ -33,7 +36,6 @@ elif code is not None: ...@@ -33,7 +36,6 @@ elif code is not None:
method = getattr(context, "ERP5Site_createGoogleUserToOAuth", None) method = getattr(context, "ERP5Site_createGoogleUserToOAuth", None)
if method is not None: if method is not None:
method(user_reference, user_dict) method(user_reference, user_dict)
return context.REQUEST.RESPONSE.redirect( return response.redirect(request.get("came_from") or context.absolute_url())
context.REQUEST.get("came_from") or context.absolute_url())
return handleError('') return handleError('')
...@@ -148,6 +148,17 @@ class TestGoogleLogin(ERP5TypeTestCase): ...@@ -148,6 +148,17 @@ class TestGoogleLogin(ERP5TypeTestCase):
self.assertNotIn("secret_key=", location) self.assertNotIn("secret_key=", location)
self.assertIn("ERP5Site_receiveGoogleCallback", location) self.assertIn("ERP5Site_receiveGoogleCallback", location)
def test_auth_cookie(self):
request = self.portal.REQUEST
response = request.RESPONSE
# (the secure flag is only set if we accessed through https)
request.setServerURL('https', 'example.com')
self.portal.ERP5Site_receiveGoogleCallback(code=CODE)
ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_google_hash=' in v]
self.assertIn('; Secure', ac_cookie)
self.assertIn('; HTTPOnly', ac_cookie)
def test_create_user_in_ERP5Site_createGoogleUserToOAuth(self): def test_create_user_in_ERP5Site_createGoogleUserToOAuth(self):
""" """
Check if ERP5 set cookie properly after receive code from external service Check if ERP5 set cookie properly after receive code from external service
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment