From 45728d1383665c72b418ae480ddf57f3983adfcb Mon Sep 17 00:00:00 2001
From: Luka Radenovic <luka@init.hr>
Date: Wed, 19 Jan 2022 09:16:22 +0100
Subject: [PATCH] Take state from query param on hydra callback

---
 areas/auth/auth.py     | 10 +++++++---
 helpers/hydra_oauth.py |  6 ++----
 run_app.sh             |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/areas/auth/auth.py b/areas/auth/auth.py
index 2bfd938d..b7a05ebd 100644
--- a/areas/auth/auth.py
+++ b/areas/auth/auth.py
@@ -1,11 +1,11 @@
-from flask import jsonify
+from flask import jsonify, request
 from flask_jwt_extended import create_access_token
 from flask_cors import cross_origin
 from datetime import timedelta
 
 from areas import api_v1
 from config import *
-from helpers import HydraOauth
+from helpers import HydraOauth, BadRequest
 
 
 @api_v1.route("/login", methods=["POST"])
@@ -18,7 +18,11 @@ def login():
 @api_v1.route("/hydra/callback")
 @cross_origin()
 def hydra_callback():
-    token = HydraOauth.get_token()
+    state = request.args.get("state")
+    if state == None:
+        raise BadRequest("Missing state query param")
+
+    token = HydraOauth.get_token(state)
     access_token = create_access_token(
         identity=token, expires_delta=timedelta(days=365)
     )
diff --git a/helpers/hydra_oauth.py b/helpers/hydra_oauth.py
index ea846951..96bd13d4 100644
--- a/helpers/hydra_oauth.py
+++ b/helpers/hydra_oauth.py
@@ -24,11 +24,9 @@ class HydraOauth:
             raise HydraError(str(err), 500)
 
     @staticmethod
-    def get_token():
+    def get_token(state):
         try:
-            hydra = OAuth2Session(
-                HYDRA_CLIENT_ID, state=session[HydraOauth.SESSION_KEY]
-            )
+            hydra = OAuth2Session(HYDRA_CLIENT_ID, state=state)
             token = hydra.fetch_token(
                 TOKEN_URL,
                 client_secret=HYDRA_CLIENT_SECRET,
diff --git a/run_app.sh b/run_app.sh
index 302f141d..b1c9342f 100755
--- a/run_app.sh
+++ b/run_app.sh
@@ -23,7 +23,7 @@ export FLASK_ENV=development
 export SECRET_KEY="e38hq!@0n64g@qe6)5csk41t=ljo2vllog(%k7njnm4b@kh42c"
 export KRATOS_URL="http://127.0.0.1:8000"
 export HYDRA_CLIENT_ID="dashboard"
-export HYDRA_CLIENT_SECRET="BrYRtKygtrcwGHviUSqybvFTgfnaZgPh"
+export HYDRA_CLIENT_SECRET="gDSEuakxzybHBHJocnmtDOLMwlWWEvPh"
 export HYDRA_AUTHORIZATION_BASE_URL="https://sso.init.stackspin.net/oauth2/auth"
 export TOKEN_URL="https://sso.init.stackspin.net/oauth2/token"
 flask run
-- 
GitLab