Commit 03072ffc authored by Jérome Perrin's avatar Jérome Perrin

oauth_facebook_login: reuse setAuthCookie

setAuthCookie sets authentication cookies with all the necessary
attributes that makes sense for security.

It's also how auto-logout for inactivity is implemented.
parent 62feb4d9
import time
request = container.REQUEST
response = request.RESPONSE
def handleError(error):
context.Base_redirect(
'login_form',
......@@ -21,7 +24,7 @@ elif code is not None:
access_token = response_dict['access_token'].encode('utf-8')
hash_str = context.Base_getHMAC(access_token, access_token)
context.REQUEST.RESPONSE.setCookie('__ac_facebook_hash', hash_str, path='/')
context.setAuthCookie(response, '__ac_facebook_hash', hash_str)
# store timestamp in second since the epoch in UTC is enough
response_dict["response_timestamp"] = time.time()
......@@ -45,7 +48,7 @@ elif code is not None:
# https://developers.facebook.com/support/bugs/318390728250352/?disable_redirect=0
# https://stackoverflow.com/questions/7131909/facebook-callback-appends-to-return-url/33257076#33257076
# https://lab.nexedi.com/nexedi/erp5/merge_requests/417#note_64365
came_from = context.REQUEST.get("came_from", portal.absolute_url() + "#")
return context.REQUEST.RESPONSE.redirect(came_from)
came_from = request.get("came_from", portal.absolute_url() + "#")
return response.redirect(came_from)
return handleError('')
......@@ -111,6 +111,17 @@ class TestFacebookLogin(ERP5TypeTestCase):
self.assertNotIn("secret_key=", location)
self.assertIn("ERP5Site_callbackFacebookLogin", location)
def test_auth_cookie(self):
request = self.portal.REQUEST
response = request.RESPONSE
# (the secure flag is only set if we accessed through https)
request.setServerURL('https', 'example.com')
self.portal.ERP5Site_callbackFacebookLogin(code=CODE)
ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_facebook_hash=' in v]
self.assertIn('; Secure', ac_cookie)
self.assertIn('; HTTPOnly', ac_cookie)
def test_create_user_in_ERP5Site_createFacebookUserToOAuth(self):
"""
Check if ERP5 set cookie properly after receive code from external service
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment