Ailur-Archives
/
hectabit-oauth2
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Verify redirects

This commit is contained in:
Tracker-Friendly 2024-04-18 16:42:13 +01:00
parent c3b1d4e4e3
commit 8814387151
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
main
View File

@ -267,6 +267,10 @@ async def apiauthenticate():
if not str(appidcheck) == str(appId): if not str(appidcheck) == str(appId):
return {}, 401 return {}, 401
rdircheck = str(conn.execute("SELECT rdiruri FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
if not str(rdircheck) == str(redirect_uri):
return {}, 401
datatemplate = { datatemplate = {
"sub": user["username"], "sub": user["username"],
"iss": "https://auth.hectabit.org", "iss": "https://auth.hectabit.org",
@ -389,6 +393,7 @@ async def apicreateauth():
appId = data["appId"] appId = data["appId"]
secretKey = data["secretKey"] secretKey = data["secretKey"]
secret = str(secrets.token_hex(512)) secret = str(secrets.token_hex(512))
rdiruri = data["rdiruri"]
conn = get_db_connection() conn = get_db_connection()
while True: while True:
try: try:
@ -409,8 +414,8 @@ async def apicreateauth():
userCookie = get_session(secretKey) userCookie = get_session(secretKey)
user = get_user(userCookie["id"]) user = get_user(userCookie["id"])
conn.execute("INSERT INTO oauth (appId, creator, secret) VALUES (?, ?, ?)", conn.execute("INSERT INTO oauth (appId, creator, secret, rdiruri) VALUES (?, ?, ?, ?)",
(str(appId),int(user["id"]),str(secret))) (str(appId),int(user["id"]),str(secret),str(rdiruri)))
conn.commit() conn.commit()
conn.close() conn.close()
secretkey = { secretkey = {

3
schema.sql
View File

@ -40,5 +40,6 @@ CREATE TABLE logins (
CREATE TABLE oauth ( CREATE TABLE oauth (
appId TEXT NOT NULL, appId TEXT NOT NULL,
secret TEXT NOT NULL, secret TEXT NOT NULL,
creator INTEGER NOT NULL creator INTEGER NOT NULL,
rdiruri TEXT NOT NULL
) )