Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keep redirecting and add up new 'state' in the session #36

Open
ozjongwon opened this issue Jul 23, 2015 · 1 comment
Open

Keep redirecting and add up new 'state' in the session #36

ozjongwon opened this issue Jul 23, 2015 · 1 comment
Labels
bug
Milestone
0.7.0

Comments

@ozjongwon
Copy link

Middleware stack:
(-> app-route
  (friend/authenticate {:allow-anon?          true
                       :default-landing-uri  "/console"
                       :login-uri "/login"
                       :workflows [(workflows/interactive-form
                                    :login-uri "/email-login"
                                    :credential-fn email->user)
                                   (oauth2/workflow
                                    {:client-config fb-client-config
                                    :uri-config fb-uri-config
                                    :access-token-parsefn get-access-token-from-params
                                    :login-uri "/fb-login"
                                    :credential-fn fb-token->user})]})

 wrap-multipart-params
 wrap-keyword-params
 wrap-external-webhooks
 wrap-nested-params
 wrap-params
 wrap-session)
Symptom - 'token' and 'state' entry in 'session' keep adding up. I.e.,
:session 
{:vChUz4SvABgQBgjDvrpQERPo1UFyWYwRNimP81aSrCGZ3leug-AC2sNVLGgBqSzEe0giQ1TrvAGwg9mT "state", 

:-kxHImqfWVN3z7brZOIQePKdpC29oxDnSBAscu38l1AUStAVP-hLu3fR8qD9thzosqEXnlMEGqJQtD-p "state", 

....}

Maybe I am doing something wrong. Or it is a bug. If it is a bug, I can fix it by changing following two functions - making 'state' key and token value not other way around.

(ns friend-oauth2.workflow)

(defn- redirect-to-provider!
  "Redirects user to OAuth2 provider. Code should be in response."
  [{:keys [uri-config]} request]
  (let [anti-forgery-token    (util/generate-anti-forgery-token)

        session-with-af-token (assoc (:session request) :state anti-forgery-token)]
    (-> uri-config
        (util/format-authn-uri anti-forgery-token)
        ring.util.response/redirect
        (assoc :session session-with-af-token))))

(ns friend-oauth2.util)

(defn extract-anti-forgery-token
  "Extracts the anti-csrf state key from the response"
  [{session :session}]
  (:state session))

If the 'state' is in friend's ::identity map, it would be better. Because when logout get called it will be cleared from session by friend's logout function (just a thought, not sure if this is possible).
@ddellacosta
Copy link
Contributor

Hey, sorry I've been slow to respond. I'm in the process of doing some serious refactoring now and this'll get updated to work in the way you're suggesting as part of it. Will update here when that's in!

freakinruben pushed a commit to vita-io/friend-oauth2 that referenced this issue Oct 12, 2015
apply patch suggested in clojusc#36 to prevent infinite redirects
33450eb
@oubiwann oubiwann added the bug label Nov 29, 2016
@oubiwann oubiwann modified the milestone: 0.7.0 Nov 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
0.7.0
Development

No branches or pull requests
3 participants
@ddellacosta @oubiwann @ozjongwon