mdornseif · February 3, 2015 11:26
diff --git a/login.diff b/login.diff
 mistakenot-2:appengine-toolkit md$ git diff
 diff --git i/gaetk/handler.py w/gaetk/handler.py
 index aeb7ebe..e50d63d 100755
 --- i/gaetk/handler.py
 +++ w/gaetk/handler.py
 @@ -24,10 +24,12 @@ import base64
 import datetime
 import hashlib
 import os
 +import string
 import time
 import urllib
 import urlparse
 import uuid
 +import random
 import warnings
 
 from functools import partial
 @@ -178,6 +180,10 @@ class BasicHandler(webapp2.RequestHandler):
             self.session = {}
         super(BasicHandler, self).__init__(*args, **kwargs)
         self.credential = None
 +        if 'secret_state' not in self.session:
 +            self.session['secret_state'] = ''.join(random.choice(string.ascii_uppercase + string.digits)
 +                    for x in xrange(32))
 +
 
     def abs_url(self, url):
         """Converts an relative into an absolute URL."""
 diff --git i/gaetk/login.py w/gaetk/login.py
 index 7e13820..14c7c51 100755
 --- i/gaetk/login.py
 +++ w/gaetk/login.py
 @@ -136,9 +136,6 @@ class LoginHandler(BasicHandler):
 def get_oauth_url(session, request):
     # Create a state token to prevent request forgery.
     # Store it in the session for later validation.
 -    state = ''.join(random.choice(string.ascii_uppercase + string.digits)
 -                    for x in xrange(32))
 -    session['oauth_state'] = state
     # Set the client ID, token state, and application name in the HTML while
     # serving it.
     url = config.OAUTH['web']['auth_uri']
 @@ -147,7 +144,7 @@ def get_oauth_url(session, request):
         response_type="code",
         scope="openid email profile",
         redirect_uri=get_oauth_callback_url(request),
 -        state=state,
 +        state=session.get('secret_state', 'X'),
         # login_hint="[email protected]", TODO: gaetkoauthmail
     )
     if len(LOGIN_ALLOWED_DOMAINS) == 1:
 @@ -202,9 +199,9 @@ class OAuth2Callback(BasicHandler):
         # https://dev-md-dot-hudoraexpress.appspot.com/oauth2callback?
 
         # 3. Confirm anti-forgery state token
 -        if self.request.get('state') != self.session.get('oauth_state'):
 +        if self.request.get('state') != self.session.get('secret_state', 'X'):
             raise RuntimeError("wrong state: %r != %r" % (
 -                self.request.get('state'), self.session.get('oauth_state')))
 +                self.request.get('state'), self.session.get('secret_state', 'X')))
         if LOGIN_ALLOWED_DOMAINS and self.request.get('hd') not in LOGIN_ALLOWED_DOMAINS:
             raise RuntimeError("wrong domain: %r not in %r" % (
                 self.request.get('hd'), LOGIN_ALLOWED_DOMAINS))
	mistakenot-2:appengine-toolkit md$ git diff
	diff --git i/gaetk/handler.py w/gaetk/handler.py
	index aeb7ebe..e50d63d 100755
	--- i/gaetk/handler.py
	+++ w/gaetk/handler.py
	@@ -24,10 +24,12 @@ import base64
	import datetime
	import hashlib
	import os
	+import string
	import time
	import urllib
	import urlparse
	import uuid
	+import random
	import warnings

	from functools import partial
	@@ -178,6 +180,10 @@ class BasicHandler(webapp2.RequestHandler):
	self.session = {}
	super(BasicHandler, self).__init__(args, *kwargs)
	self.credential = None
	+ if 'secret_state' not in self.session:
	+ self.session['secret_state'] = ''.join(random.choice(string.ascii_uppercase + string.digits)
	+ for x in xrange(32))
	+

	def abs_url(self, url):
	"""Converts an relative into an absolute URL."""
	diff --git i/gaetk/login.py w/gaetk/login.py
	index 7e13820..14c7c51 100755
	--- i/gaetk/login.py
	+++ w/gaetk/login.py
	@@ -136,9 +136,6 @@ class LoginHandler(BasicHandler):
	def get_oauth_url(session, request):
	# Create a state token to prevent request forgery.
	# Store it in the session for later validation.
	- state = ''.join(random.choice(string.ascii_uppercase + string.digits)
	- for x in xrange(32))
	- session['oauth_state'] = state
	# Set the client ID, token state, and application name in the HTML while
	# serving it.
	url = config.OAUTH['web']['auth_uri']
	@@ -147,7 +144,7 @@ def get_oauth_url(session, request):
	response_type="code",
	scope="openid email profile",
	redirect_uri=get_oauth_callback_url(request),
	- state=state,
	+ state=session.get('secret_state', 'X'),
	# login_hint="[email protected]", TODO: gaetkoauthmail
	)
	if len(LOGIN_ALLOWED_DOMAINS) == 1:
	@@ -202,9 +199,9 @@ class OAuth2Callback(BasicHandler):
	# https://dev-md-dot-hudoraexpress.appspot.com/oauth2callback?

	# 3. Confirm anti-forgery state token
	- if self.request.get('state') != self.session.get('oauth_state'):
	+ if self.request.get('state') != self.session.get('secret_state', 'X'):
	raise RuntimeError("wrong state: %r != %r" % (
	- self.request.get('state'), self.session.get('oauth_state')))
	+ self.request.get('state'), self.session.get('secret_state', 'X')))
	if LOGIN_ALLOWED_DOMAINS and self.request.get('hd') not in LOGIN_ALLOWED_DOMAINS:
	raise RuntimeError("wrong domain: %r not in %r" % (
	self.request.get('hd'), LOGIN_ALLOWED_DOMAINS))