Ailur-Archives
/
hectabit-oauth2
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Full PKCE support

This commit is contained in:
Tracker-Friendly 2024-03-31 13:01:41 +01:00
parent 9b364cd21d
commit de5ce1020f
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
main
View File

@ -307,7 +307,6 @@ async def apiauthenticate():
async def apitokenexchange(): async def apitokenexchange():
if request.method == "POST": if request.method == "POST":
data = await request.form data = await request.form
secret = data["client_secret"]
appId = data["client_id"] appId = data["client_id"]
code = data["code"] code = data["code"]
@ -315,13 +314,14 @@ async def apitokenexchange():
code_verify = data["code_verifier"] code_verify = data["code_verifier"]
verifycode = True verifycode = True
else: else:
secret = data["client_secret"]
verifycode = False verifycode = False
conn = get_db_connection() conn = get_db_connection()
# Fetch required data in a single query # Fetch required data in a single query
oauth_data = conn.execute("SELECT appId, secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone() oauth_data = conn.execute("SELECT appId, secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()
if not oauth_data or oauth_data["appId"] != appId or oauth_data["secret"] != secret: if not oauth_data or oauth_data["appId"] != appId:
return {}, 401 return {}, 401
login_data = conn.execute("SELECT openid, code, pkce, pkcemethod FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone() login_data = conn.execute("SELECT openid, code, pkce, pkcemethod FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()
@ -338,6 +338,9 @@ async def apitokenexchange():
return 403 return 403
else: else:
return 501 return 501
else:
if not oauth_data["secret"] != secret:
return {}, 401
newkey = str(secrets.token_hex(512)) newkey = str(secrets.token_hex(512))
conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(secret))) conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(secret)))