edward/add-links
1
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity

Guard oauth callback against missing session tokens

Browse source
This commit is contained in:
Edward Betts 2026-05-14 10:14:59 +01:00
parent 626afe487c
commit fd59e2a9a4
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
web_view.py
View file

@ -222,13 +222,16 @@ def start_oauth() -> Response:
def oauth_callback() -> werkzeug.wrappers.response.Response: def oauth_callback() -> werkzeug.wrappers.response.Response:
"""Oauth callback.""" """Oauth callback."""
client_key = app.config["CLIENT_KEY"] client_key = app.config["CLIENT_KEY"]
if "owner_key" not in flask.session or "owner_secret" not in flask.session:
return flask.redirect(flask.url_for("start_oauth"))
client_secret = app.config["CLIENT_SECRET"] client_secret = app.config["CLIENT_SECRET"]
oauth = OAuth1Session( oauth = OAuth1Session(
client_key, client_key,
client_secret=client_secret, client_secret=client_secret,
resource_owner_key=flask.session.get("owner_key"), resource_owner_key=flask.session["owner_key"],
resource_owner_secret=flask.session.get("owner_secret"), resource_owner_secret=flask.session["owner_secret"],
) )
oauth_response = oauth.parse_authorization_response(flask.request.url) oauth_response = oauth.parse_authorization_response(flask.request.url)