IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added a state parameter for all OAuth requests

Browse Source
This commit is contained in:
Eric Perrino 2016-10-08 01:20:45 -05:00
parent 913f17ee8a
commit 81443bf8b4
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/api/login_oauth.go
View File

@ -3,6 +3,8 @@ package api
import ( import (
"errors" "errors"
"fmt" "fmt"
"crypto/rand"
"encoding/base64"
"golang.org/x/oauth2" "golang.org/x/oauth2"
@ -14,6 +16,12 @@ import (
"github.com/grafana/grafana/pkg/social" "github.com/grafana/grafana/pkg/social"
) )
func GenStateString() string {
rnd := make([]byte, 32)
rand.Read(rnd)
return base64.StdEncoding.EncodeToString(rnd)
}
func OAuthLogin(ctx *middleware.Context) { func OAuthLogin(ctx *middleware.Context) {
if setting.OAuthService == nil { if setting.OAuthService == nil {
ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil) ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil)
@ -29,7 +37,17 @@ func OAuthLogin(ctx *middleware.Context) {
code := ctx.Query("code") code := ctx.Query("code")
if code == "" { if code == "" {
ctx.Redirect(connect.AuthCodeURL("", oauth2.AccessTypeOnline)) state := GenStateString()
ctx.Session.Set(middleware.SESS_KEY_OAUTH_STATE, state)
ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
return
}
// verify state string
savedState := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
queryState := ctx.Query("state")
if savedState != queryState {
ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
return return
} }

1
pkg/middleware/session.go
View File

@ -13,6 +13,7 @@ import (
const ( const (
SESS_KEY_USERID = "uid" SESS_KEY_USERID = "uid"
SESS_KEY_OAUTH_STATE = "state"
) )
var sessionManager *session.Manager var sessionManager *session.Manager