From 34796a7d8257344ccf7c30363f98ce3417971807 Mon Sep 17 00:00:00 2001
From: Luka Radenovic <luka@init.hr>
Date: Thu, 20 Jan 2022 07:40:11 +0100
Subject: [PATCH] Use code instead of authorization_response

---
 areas/auth/auth.py     | 6 +++++-
 helpers/hydra_oauth.py | 6 +++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/areas/auth/auth.py b/areas/auth/auth.py
index b7a05ebd..098ed0aa 100644
--- a/areas/auth/auth.py
+++ b/areas/auth/auth.py
@@ -19,10 +19,14 @@ def login():
 @cross_origin()
 def hydra_callback():
     state = request.args.get("state")
+    code = request.args.get("code")
     if state == None:
         raise BadRequest("Missing state query param")
 
-    token = HydraOauth.get_token(state)
+    if code == None:
+        raise BadRequest("Missing code query param")
+
+    token = HydraOauth.get_token(state, code)
     access_token = create_access_token(
         identity=token, expires_delta=timedelta(days=365)
     )
diff --git a/helpers/hydra_oauth.py b/helpers/hydra_oauth.py
index cdf79234..e29e10a4 100644
--- a/helpers/hydra_oauth.py
+++ b/helpers/hydra_oauth.py
@@ -24,14 +24,14 @@ class HydraOauth:
             raise HydraError(str(err), 500)
 
     @staticmethod
-    def get_token(state):
+    def get_token(state, code):
         try:
             hydra = OAuth2Session(HYDRA_CLIENT_ID, state=state)
             token = hydra.fetch_token(
                 TOKEN_URL,
+                code=code,
+                state=state,
                 client_secret=HYDRA_CLIENT_SECRET,
-                authorization_response="https://dashboard.init.stackspin.net"
-                + request.path,
             )
 
             session["hydra_token"] = token
-- 
GitLab