Skip to content
This repository was archived by the owner on Jan 18, 2025. It is now read-only.

Fixing incremental auth in flask_util. #322

Merged
merged 1 commit into from
Oct 22, 2015
Merged

Fixing incremental auth in flask_util. #322

merged 1 commit into from
Oct 22, 2015

Conversation

theacodes
Copy link
Contributor

  • Flow is now stored in the session, ensuring that the scopes survive the round trip to the auth server.
  • The base credentials are now checked in required, solving an issue where it's possible to pass the check with the incremental scopes but without the base scopes.

Fixes #320

@theacodes
Copy link
Contributor Author

Sigh, python 2.6, you are a thorn in my side.

@waprin
Copy link
Contributor

waprin commented Oct 12, 2015

LGTM. Tested it on my sample cases and it worked fine.

dhermes
dhermes reviewed Oct 12, 2015
View reviewed changes
oauth2client/flask_util.py
@@ -331,6 +333,20 @@ def _make_flow(self, return_url=None, **kwargs):
redirect_uri=url_for('oauth2.callback', _external=True),
**kw)

flow_key = 'google_oauth2_flow_{0}'.format(csrf_token)
session[flow_key] = pickle.dumps(flow)

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@theacodes
Copy link
Contributor Author

@dhermes anything holding this back from being merged?

@dhermes
Copy link
Contributor

dhermes commented Oct 18, 2015

I didn't really review this and don't have throughput to do it. I'll leave it to @nathanielmanistaatgoogle

@nathanielmanistaatgoogle
Copy link
Contributor

I'll try to get to this sometime this week. Does it have time-sensitivity to it?

@waprin
Copy link
Contributor

waprin commented Oct 19, 2015

I don't think it's especially urgent (though not sure what Jon thinks), but it does fix some critical bugs with the extension and it's a somewhat small patch.

@theacodes
Copy link
Contributor Author

Not overly urgent as I doubt many people are using incremental auth at this point.

I would like to have this, #326, #325, #323, and DictionaryStorage from #319 released together.

All-in-all, lots of new features specific to the usage of web applications. Once we have those in and battle tested a little, we can start promoting them.

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Oct 19, 2015
View reviewed changes
oauth2client/flask_util.py

return flow

def _get_flow_for_token(self, csrf_token):

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@theacodes
Copy link
Contributor Author

Thank you for that thorough review @nathanielmanistaatgoogle. I think I got everything.

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Oct 21, 2015
View reviewed changes
oauth2client/flask_util.py
flow_pickle = session.get(
self._flow_key.format(csrf_token), None)

if not flow_pickle:

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@theacodes
Copy link
Contributor Author

Okay, moved _get_flow_for_token into a private module-level function, and ensured tests all pass. @nathanielmanistaatgoogle it's ready for another look.

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Oct 21, 2015
View reviewed changes
oauth2client/flask_util.py
@@ -191,6 +192,21 @@ def requires_calendar():
__author__ = '[email protected] (Jon Wayne Parrott)'

DEFAULT_SCOPES = ('email',)
CREDENTIALS_KEY = 'google_oauth2_credentials'

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Oct 21, 2015
View reviewed changes
tests/test_flask_util.py
session['google_oauth2_csrf_token'] = 'tokenz'

state = '[{'
rv = c.get('/oauth2callback?state=%s&code=codez' % state)
self.assertEqual(rv.status_code, httplib.BAD_REQUEST)
response = client.get('/oauth2callback?state=%s&code=codez' % state)

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@nathanielmanistaatgoogle
Copy link
Contributor

I think I'm done with comments now. Fingers crossed.

@theacodes
Copy link
Contributor Author

Fingers crossed here too, thanks for the review. :)

Fixing incremental auth in flask_util.
07ea7c5 
* Flow is now stored in the session, ensuring that the scopes survive the round trip to the auth server.
* The base credentials are now checked in `required`, solving an issue where it's possible to pass the check with the incremental scopes but without the base scopes.

Fixes googleapis#320
nathanielmanistaatgoogle added a commit that referenced this pull request Oct 22, 2015
@nathanielmanistaatgoogle
Merge pull request #322 from jonparrott/master
311a53f 
Fixed incremental auth in flask_util.
@nathanielmanistaatgoogle nathanielmanistaatgoogle merged commit 311a53f into googleapis:master Oct 22, 2015
@theacodes
Copy link
Contributor Author

Thanks!

On Wed, Oct 21, 2015, 5:04 PM Nathaniel Manista [email protected]
wrote:

Merged #322 #322.


Reply to this email directly or view it on GitHub
#322 (comment).

@dhermes dhermes mentioned this pull request Nov 18, 2015
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@theacodes @waprin @dhermes @nathanielmanistaatgoogle @googlebot