From bff1b5f790ef8847923c3098d5c770a058a7c86e Mon Sep 17 00:00:00 2001 From: spwoodcock Date: Thu, 9 Nov 2023 05:01:34 +0000 Subject: [PATCH] fix: enforce https for osm oauth callbacks --- src/backend/app/auth/auth_routes.py | 47 +++++++++++++++++------------ 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/src/backend/app/auth/auth_routes.py b/src/backend/app/auth/auth_routes.py index 1d4d5a7181..1c6c60cbea 100644 --- a/src/backend/app/auth/auth_routes.py +++ b/src/backend/app/auth/auth_routes.py @@ -23,7 +23,6 @@ from loguru import logger as log from sqlalchemy.orm import Session -from ..config import settings from ..db import database from ..db.db_models import DbUser from ..users import user_crud @@ -38,15 +37,18 @@ @router.get("/osm_login/") def login_url(request: Request, osm_auth=Depends(init_osm_auth)): - """Generate Login URL for authentication using OAuth2 Application registered with OpenStreetMap. - Click on the download url returned to get access_token. + """Get Login URL for OSM Oauth Application. - Parameters: None + The application must be registered on openstreetmap.org. + Open the download url returned to get access_token. + + Args: + request: The GET request. + osm_auth: The Auth object from osm-login-python. Returns: - ------- - - login_url (string) - URL to authorize user to the application via. Openstreetmap - OAuth2 with client_id, redirect_uri, and permission scope as query_string parameters + login_url (string): URL to authorize user in OSM. + Includes URL params: client_id, redirect_uri, permission scope. """ login_url = osm_auth.login() log.debug(f"Login URL returned: {login_url}") @@ -60,17 +62,20 @@ def callback(request: Request, osm_auth=Depends(init_osm_auth)): Core will use Oauth secret key from configuration while deserializing token, provides access token that can be used for authorized endpoints. - Parameters: None + Args: + request: The GET request. + osm_auth: The Auth object from osm-login-python. Returns: - ------- - - access_token (string) + access_token(string): The access token provided by the login URL request. """ print("Call back api requested", request.url) - access_token = osm_auth.callback( - str(request.url).replace("http", settings.URL_SCHEME) - ) + # Enforce https callback url + callback_url = str(request.url).replace("http://", "https://") + + access_token = osm_auth.callback(callback_url) + log.debug(f"Access token returned: {access_token}") return JSONResponse(content={"access_token": access_token}, status_code=200) @@ -80,12 +85,14 @@ def my_data( db: Session = Depends(database.get_db), user_data: AuthUser = Depends(login_required), ): - """Read the access token and provide user details from OSM user's API endpoint, - also integrated with underpass . + """Read access token and get user details from OSM. - Parameters:None + Args: + db: The db session. + user_data: User data provided by osm-login-python Auth. - Returns: user_data + Returns: + user_data(dict): The dict of user data. """ # Save user info in User table user = user_crud.get_user_by_id(db, user_data["id"]) @@ -94,8 +101,10 @@ def my_data( if user_by_username: raise HTTPException( status_code=400, - detail=f"User with this username {user_data['username']} already exists. \ - Please contact the administrator for this.", + detail=( + f"User with this username {user_data['username']} already exists. " + "Please contact the administrator." + ), ) db_user = DbUser(id=user_data["id"], username=user_data["username"])