OLMIS-7642: Fixed CRSF token generation, release 0.5.1 (#4)

OpenLMIS · Nov 18, 2022 · 40ec1c0 · 40ec1c0
1 parent 3d070ee
commit 40ec1c0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 9 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,3 +1,6 @@
+v0.5.1
+- Fixed CRSF token generation
+
 v0.5.0 
 - OpenLMIS Version release, support for Superset 1.5.2, security fix
 

diff --git a/superset_patchup/oauth.py b/superset_patchup/oauth.py
@@ -3,8 +3,7 @@
 import re
 import json
 import time
-import secrets
-import base64
+import random
 
 from flask import (
     abort,
@@ -35,7 +34,6 @@ class AuthOAuthView(SupersetAuthOAuthView):
     """Flask-AppBuilder's Authentication OAuth view"""
 
     state_expires_in = 3600
-    state_token_length = 64
     login_template = "appbuilder/general/security/login_oauth.html"
 
     @expose("/login/")
@@ -122,9 +120,8 @@ def login_init(self, provider=None):
         session[f"_{provider}_authlib_redirect_uri_"] = redirect_url
         # For Authlib 1.1.0 (Superset 1.5.2)
         now = time.time()
-        state_str = state.decode("utf-8")
         state_data = {"state": state, "redirect_uri": redirect_url}
-        session[f"_state_{provider}_{state_str}"] = {"data": state_data, "exp": now + self.state_expires_in}
+        session[f"_state_{provider}_{state}"] = {"data": state_data, "exp": now + self.state_expires_in}
 
         return make_response(jsonify(isAuthorized=False, state=state))
 
@@ -134,8 +131,6 @@ def login_init(self, provider=None):
     def oauth_authorized(self, provider):
         """View that a user is redirected to from the Oauth server"""
 
-        logging.info(session)
-
         logging.debug("Authorized init")
         if "Custom-Api-Token" in request.headers:
             logging.debug("Custom-Api-Token is present")
@@ -197,7 +192,7 @@ def generate_state(self):
         """
         Generates random state for protection from Cross-site Request Forgery attacks
         """
-        return base64.b64encode(secrets.token_bytes(self.state_token_length))
+        return '%064x' % random.randrange(16**64)
 
 
 class CustomSecurityManager(SupersetSecurityManager):

diff --git a/superset_patchup/version.py b/superset_patchup/version.py
@@ -1,3 +1,3 @@
 """Version goes here - to avoid cyclic dependencies :-("""
-VERSION = (0, 5, 0)
+VERSION = (0, 5, 1)
 __version__ = ".".join(str(v) for v in VERSION)