Merge branch '121-fix-consent-requests' into 'main'

Resolve "Fix consent requests" Closes #121 See merge request !95

Merge branch '121-fix-consent-requests' into 'main'
Resolve "Fix consent requests" Closes #121 See merge request !95
d5051e8f · Mart van Santen · 2a4b38f8 · 25cdf637 · d5051e8f
Commit d5051e8f authored 2 years ago by Mart van Santen
--- a/backend/web/login/login.py
+++ b/backend/web/login/login.py
@@ -228,15 +228,21 @@ def auth():

    # Authorize the user
    # False positive: pylint: disable=no-member
-    redirect_to = hydra_admin_api.accept_login_request(
-        challenge,
-        accept_login_request=AcceptLoginRequest(
-            identity.id,
-            remember=True,
-            # Remember session for 7d
-            remember_for=60 * 60 * 24 * 7,
-        )
-    ).redirect_to
+
+    try:
+        redirect_to = hydra_admin_api.accept_login_request(
+            challenge,
+            accept_login_request=AcceptLoginRequest(
+                identity.id,
+                remember=True,
+                # Remember session for 7d
+                remember_for=60 * 60 * 24 * 7,
+            )
+        ).redirect_to
+    except Exception as e:
+        current_app.logger.error("Failure during accepting login request. Redirecting to logout, hopefully to wipe cookies")
+        current_app.logger.error(e)
+        return redirect("logout")

    return redirect(redirect_to)

@@ -332,11 +338,15 @@ def consent():
    except AttributeError:
        current_app.logger.error(f"Could not find app for client {client_id}")
        return redirect(
-            consent_request.reject(
-                error="No access",
-                error_description="The user has no access for app",
-                error_hint="Contact your administrator",
-                status_code=401,
+            hydra_admin_api.reject_consent_request(
+                challenge,
+                # In previous versions of the hydra API client library, we
+                # could set these parameters, but that's no longer possible,
+                # not sure why.
+                # error="No access",
+                # error_description="The user has no access for app",
+                # error_hint="Contact your administrator",
+                # status_code=401,
            )
        )

@@ -353,11 +363,15 @@ def consent():
        # If there is no role in app_roles or the role_id for an app is null user has no permissions
        current_app.logger.error(f"User has no access for: {app_obj.name}")
        return redirect(
-            consent_request.reject(
-                error="No access",
-                error_description="The user has no access for app",
-                error_hint="Contact your administrator",
-                status_code=401,
+            hydra_admin_api.reject_consent_request(
+                challenge,
+                # In previous versions of the hydra API client library, we
+                # could set these parameters, but that's no longer possible,
+                # not sure why.
+                # error="No access",
+                # error_description="The user has no access for app",
+                # error_hint="Contact your administrator",
+                # status_code=401,
            )
        )
    else:
@@ -375,14 +389,23 @@ def consent():
    current_app.logger.info(f"{kratos_id} was granted access to {client_id}")

    # False positive: pylint: disable=no-member
-    return redirect(
-        consent_request.accept(
-            grant_scope=consent_request.requested_scope,
-            grant_access_token_audience=consent_request.requested_access_token_audience,
-            session=claims,
-        )
-    )
+    try:
+        redirectUrl = hydra_admin_api.accept_consent_request(
+            challenge,
+            accept_consent_request=AcceptConsentRequest(
+                grant_scope=consent_request.requested_scope,
+                grant_access_token_audience=consent_request.requested_access_token_audience,
+                session=ConsentRequestSession(**claims),
+            )
+        ).redirect_to
+    except:
+        # If an unexpected error occurs, logout, hopefully that wipes the
+        # relevant cookies
+        current_app.logger.error('Fatal processing consent, redirect to logout:' + str(e))
+        return redirect("logout")
+    current_app.logger.info(f"Redirect to: {redirectUrl}")

+    return redirect(redirectUrl)

 @web.route("/status", methods=["GET", "POST"])
 def status():
@@ -479,9 +502,9 @@ def prelogout():

    # Accept logout request and direct to hydra to remove cookies
    try:
-        hydra_return = logout_request.accept(subject=logout_request.subject)
+        hydra_return = hydra_admin_api.accept_logout_request(challenge)
        if hydra_return:
-          return redirect(hydra_return)
+          return redirect(hydra_return.redirect_to)

    except Exception as ex:
        current_app.logger.info("Error logging out hydra: %s", str(ex))