Handle facebook limited login #113
Conversation
src/auth.py
Outdated
| public_key_pem = jwt.algorithms.RSAAlgorithm.from_jwk(key_data) | ||
|
|
||
| return public_key_pem | ||
| @lru_cache(maxsize=1) |
There was a problem hiding this comment.
Use @cache here, @lru_cache is not needed. But how often does the Facebook public key change? If it changes e.g. every 24 hours we need a mechanism to refetch it if the last value fetched is > 12 hours old.
There was a problem hiding this comment.
The documentation doesn’t specify a time frame for public key changes, but I believe we should refetch it every week.
kadyvillicana
force-pushed
the
facebook-limited-login
branch
from
b62bea4 to
46375ea
Compare
| return ( | ||
| jsonify( | ||
| {"status": "invalid", "msg": "Invalid Facebook nonce token",} | ||
| ), | ||
| 401, | ||
| ) | ||
| account = decoded_token.get('sub', '') | ||
| account = decoded_token.get("sub", "") |
There was a problem hiding this comment.
In the other case (non-limited login), the account id is compared with the original string from the login request, and if different, the login is aborted. Does the same logic apply here, in the limited login case? @kadyvillicana
| @@ -398,6 +398,11 @@ def oauth_fb(request: Request) -> ResponseType: | |||
| ), | |||
| 401, | |||
| ) | |||
| if account != user.get("id"): | |||
There was a problem hiding this comment.
It seems to me like we need instead, in line 386, something like this:
account_in_token = decoded_token.get("sub", "")
if account_in_token != account:
return (jsonify(...), 401) # User account mismatch
We already assigned the account variable in line 326 and the user id in the token ("sub") must match that account id.
No description provided.