fix: enforce https for osm oauth callbacks

hotosm · Nov 9, 2023 · bff1b5f · bff1b5f
1 parent ce1c68d
commit bff1b5f
Showing 1 changed file with 28 additions and 19 deletions.
diff --git a/src/backend/app/auth/auth_routes.py b/src/backend/app/auth/auth_routes.py
@@ -23,7 +23,6 @@
 from loguru import logger as log
 from sqlalchemy.orm import Session
 
-from ..config import settings
 from ..db import database
 from ..db.db_models import DbUser
 from ..users import user_crud
@@ -38,15 +37,18 @@
 
 @router.get("/osm_login/")
 def login_url(request: Request, osm_auth=Depends(init_osm_auth)):
-    """Generate Login URL for authentication using OAuth2 Application registered with OpenStreetMap.
-    Click on the download url returned to get access_token.
+    """Get Login URL for OSM Oauth Application.
 
-    Parameters: None
+    The application must be registered on openstreetmap.org.
+    Open the download url returned to get access_token.
+
+    Args:
+        request: The GET request.
+        osm_auth: The Auth object from osm-login-python.
 
     Returns:
-    -------
-    - login_url (string) - URL to authorize user to the application via. Openstreetmap
-        OAuth2 with client_id, redirect_uri, and permission scope as query_string parameters
+        login_url (string): URL to authorize user in OSM.
+            Includes URL params: client_id, redirect_uri, permission scope.
     """
     login_url = osm_auth.login()
     log.debug(f"Login URL returned: {login_url}")
@@ -60,17 +62,20 @@ def callback(request: Request, osm_auth=Depends(init_osm_auth)):
     Core will use Oauth secret key from configuration while deserializing token,
     provides access token that can be used for authorized endpoints.
 
-    Parameters: None
+    Args:
+        request: The GET request.
+        osm_auth: The Auth object from osm-login-python.
 
     Returns:
-    -------
-    - access_token (string)
+        access_token(string): The access token provided by the login URL request.
     """
     print("Call back api requested", request.url)
 
-    access_token = osm_auth.callback(
-        str(request.url).replace("http", settings.URL_SCHEME)
-    )
+    # Enforce https callback url
+    callback_url = str(request.url).replace("http://", "https://")
+
+    access_token = osm_auth.callback(callback_url)
+
     log.debug(f"Access token returned: {access_token}")
     return JSONResponse(content={"access_token": access_token}, status_code=200)
 
@@ -80,12 +85,14 @@ def my_data(
     db: Session = Depends(database.get_db),
     user_data: AuthUser = Depends(login_required),
 ):
-    """Read the access token and provide  user details from OSM user's API endpoint,
-    also integrated with underpass .
+    """Read access token and get user details from OSM.
 
-    Parameters:None
+    Args:
+        db: The db session.
+        user_data: User data provided by osm-login-python Auth.
 
-    Returns: user_data
+    Returns:
+        user_data(dict): The dict of user data.
     """
     # Save user info in User table
     user = user_crud.get_user_by_id(db, user_data["id"])
@@ -94,8 +101,10 @@ def my_data(
         if user_by_username:
             raise HTTPException(
                 status_code=400,
-                detail=f"User with this username {user_data['username']} already exists. \
-                                            Please contact the administrator for this.",
+                detail=(
+                    f"User with this username {user_data['username']} already exists. "
+                    "Please contact the administrator."
+                ),
             )
 
         db_user = DbUser(id=user_data["id"], username=user_data["username"])