fastapi-sso 0.15.0__py3-none-any.whl → 0.16.0__py3-none-any.whl

fastapi_sso/sso/base.py

@@ -1,11 +1,13 @@
 """SSO login base dependency."""
 
+import asyncio
 import json
 import logging
 import os
+import sys
 import warnings
 from types import TracebackType
-from typing import Any, ClassVar, Dict, List, Literal, Optional, Type, TypedDict, Union, overload
+from typing import Any, ClassVar, Dict, List, Literal, Optional, Type, TypedDict, TypeVar, Union, overload
 
 import httpx
 import pydantic
@@ -17,8 +19,19 @@ from starlette.responses import RedirectResponse
 from fastapi_sso.pkce import get_pkce_challenge_pair
 from fastapi_sso.state import generate_random_state
 
+if sys.version_info < (3, 10):
+    from typing import Callable  # pragma: no cover
+
+    from typing_extensions import ParamSpec  # pragma: no cover
+else:
+    from collections.abc import Callable
+    from typing import ParamSpec
+
 logger = logging.getLogger(__name__)
 
+T = TypeVar("T")
+P = ParamSpec("P")
+
 
 class DiscoveryDocument(TypedDict):
     """Discovery document."""
@@ -55,6 +68,26 @@ class OpenID(pydantic.BaseModel):
     provider: Optional[str] = None
 
 
+class SecurityWarning(UserWarning):
+    """Raised when insecure usage is detected"""
+
+
+def requires_async_context(func: Callable[P, T]) -> Callable[P, T]:
+    def wrapper(*args: P.args, **kwargs: P.kwargs) -> T:
+        if not args or not isinstance(args[0], SSOBase):
+            return func(*args, **kwargs)
+        if not args[0]._in_stack:
+            warnings.warn(
+                "Please make sure you are using SSO provider in an async context (using 'async with provider:'). "
+                "See https://github.com/tomasvotava/fastapi-sso/issues/186 for more information.",
+                category=SecurityWarning,
+                stacklevel=1,
+            )
+        return func(*args, **kwargs)
+
+    return wrapper
+
+
 class SSOBase:
     """Base class for all SSO providers."""
 
@@ -83,6 +116,8 @@ class SSOBase:
         self.client_secret: str = client_secret
         self.redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = redirect_uri
         self.allow_insecure_http: bool = allow_insecure_http
+        self._login_lock = asyncio.Lock()
+        self._in_stack = False
         self._oauth_client: Optional[WebApplicationClient] = None
         self._generated_state: Optional[str] = None
 
@@ -128,6 +163,7 @@ class SSOBase:
         return self._state
 
     @property
+    @requires_async_context
     def oauth_client(self) -> WebApplicationClient:
         """Retrieves the OAuth Client to aid in generating requests and parsing responses.
 
@@ -144,6 +180,7 @@ class SSOBase:
         return self._oauth_client
 
     @property
+    @requires_async_context
     def access_token(self) -> Optional[str]:
         """Retrieves the access token from token endpoint.
 
@@ -153,6 +190,7 @@ class SSOBase:
         return self.oauth_client.access_token
 
     @property
+    @requires_async_context
     def refresh_token(self) -> Optional[str]:
         """Retrieves the refresh token if returned from provider.
 
@@ -162,6 +200,7 @@ class SSOBase:
         return self._refresh_token or self.oauth_client.refresh_token
 
     @property
+    @requires_async_context
     def id_token(self) -> Optional[str]:
         """Retrieves the id token if returned from provider.
 
@@ -308,6 +347,7 @@ class SSOBase:
         convert_response: Literal[False],
     ) -> Optional[Dict[str, Any]]: ...
 
+    @requires_async_context
     async def verify_and_process(
         self,
         request: Request,
@@ -362,6 +402,12 @@ class SSOBase:
         )
 
     def __enter__(self) -> "SSOBase":
+        warnings.warn(
+            "SSO Providers are supposed to be used in async context, please change 'with provider' to "
+            "'async with provider'. See https://github.com/tomasvotava/fastapi-sso/issues/186 for more information.",
+            DeprecationWarning,
+            stacklevel=1,
+        )
         self._oauth_client = None
         self._refresh_token = None
         self._id_token = None
@@ -372,6 +418,28 @@ class SSOBase:
             self._pkce_code_verifier, self._pkce_code_challenge = get_pkce_challenge_pair(self._pkce_challenge_length)
         return self
 
+    async def __aenter__(self) -> "SSOBase":
+        await self._login_lock.acquire()
+        self._in_stack = True
+        self._oauth_client = None
+        self._refresh_token = None
+        self._id_token = None
+        self._state = None
+        if self.requires_state:
+            self._generated_state = generate_random_state()
+        if self.uses_pkce:
+            self._pkce_code_verifier, self._pkce_code_challenge = get_pkce_challenge_pair(self._pkce_challenge_length)
+        return self
+
+    async def __aexit__(
+        self,
+        _exc_type: Optional[Type[BaseException]],
+        _exc_val: Optional[BaseException],
+        _exc_tb: Optional[TracebackType],
+    ) -> None:
+        self._in_stack = False
+        self._login_lock.release()
+
     def __exit__(
         self,
         _exc_type: Optional[Type[BaseException]],
@@ -410,6 +478,7 @@ class SSOBase:
         convert_response: Literal[False],
     ) -> Optional[Dict[str, Any]]: ...
 
+    @requires_async_context
     async def process_login(
         self,
         code: str,

fastapi_sso/sso/seznam.py

@@ -0,0 +1,39 @@
+"""Seznam SSO Login Helper."""
+
+from typing import TYPE_CHECKING, ClassVar, Optional
+
+from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
+
+if TYPE_CHECKING:
+    import httpx  # pragma: no cover
+
+
+# https://vyvojari.seznam.cz/oauth/doc
+
+
+class SeznamSSO(SSOBase):
+    """Class providing login via Seznam OAuth."""
+
+    provider = "seznam"
+    base_url = "https://login.szn.cz/api/v1"
+    scope: ClassVar = ["identity", "avatar"]  # + ["contact-phone", "adulthood", "birthday", "gender"]
+
+    async def get_discovery_document(self) -> DiscoveryDocument:
+        """Get document containing handy urls."""
+        return {
+            "authorization_endpoint": f"{self.base_url}/oauth/auth",
+            "token_endpoint": f"{self.base_url}/oauth/token",
+            "userinfo_endpoint": f"{self.base_url}/user",
+        }
+
+    async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        """Return OpenID from user information provided by Seznam."""
+        return OpenID(
+            email=response.get("email"),
+            first_name=response.get("firstname"),
+            last_name=response.get("lastname"),
+            display_name=response.get("accountDisplayName"),
+            provider=self.provider,
+            id=response.get("oauth_user_id"),
+            picture=response.get("avatar_url"),
+        )

{fastapi_sso-0.15.0.dist-info → fastapi_sso-0.16.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fastapi-sso
-Version: 0.15.0
+Version: 0.16.0
 Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
 Home-page: https://tomasvotava.github.io/fastapi-sso/
 License: MIT
@@ -15,10 +15,12 @@ Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: fastapi (>=0.80)
 Requires-Dist: httpx (>=0.23.0)
 Requires-Dist: oauthlib (>=3.1.0)
 Requires-Dist: pydantic[email] (>=1.8.0)
+Requires-Dist: typing-extensions (>=4.12.2,<5.0.0) ; python_version < "3.10"
 Project-URL: Documentation, https://tomasvotava.github.io/fastapi-sso/
 Project-URL: Repository, https://github.com/tomasvotava/fastapi-sso
 Description-Content-Type: text/markdown
@@ -61,14 +63,53 @@ Quick links for the eager ones:
 - [Demo site](https://fastapi-sso-example.vercel.app/)
 - [Medium articles](https://medium.com/@christos.karvouniaris247)
 
-## Security warning
+## Security Notice
 
-Please note that versions preceding `0.7.0` had a security vulnerability.
-The SSO instance could share state between requests, which could lead to security issues.
-**Please update to `0.7.0` or newer**.
+### Version `0.16.0` Update: Race Condition Bug Fix & Context Manager Change
 
-Also, the preferred way of using the SSO instances is to use `with` statement, which will ensure the state is cleared.
-See example below.
+A race condition bug in the login flow that could, in rare cases, allow one user
+to assume the identity of another due to concurrent login requests was recently discovered
+by [@parikls](https://github.com/parikls).
+This issue was reported in [#186](https://github.com/tomasvotava/fastapi-sso/issues/186) and has been resolved
+in version `0.16.0`.
+
+**Details of the Fix:**
+
+The bug was mitigated by introducing an async lock mechanism that ensures only one user can attempt the login
+process at any given time. This prevents race conditions that could lead to unintended user identity crossover.
+
+**Important Change:**
+
+To fully support this fix, **users must now use the SSO instance within an `async with`
+context manager**. This adjustment is necessary for proper handling of asynchronous operations.
+
+The synchronous `with` context manager is now deprecated and will produce a warning.
+It will be removed in future versions to ensure best practices for async handling.
+
+**Impact:**
+
+This bug could potentially affect deployments with high concurrency or scenarios where multiple users initiate
+login requests simultaneously. To prevent potential issues and deprecation warnings, **update to
+version `0.16.0` or later and modify your code to use the async with context**.
+
+Code Example Update:
+
+```python
+# Before (deprecated)
+with sso:
+    openid = await sso.verify_and_process(request)
+
+# After (recommended)
+async with sso:
+    openid = await sso.verify_and_process(request)
+```
+
+Thanks to both [@parikls](https://github.com/parikls) and the community for helping me identify and improve the
+security of `fastapi-sso`. If you encounter any issues or potential vulnerabilities, please report them
+immediately so they can be addressed.
+
+For more details, refer to Issue [#186](https://github.com/tomasvotava/fastapi-sso/issues/186)
+and PR [#189](https://github.com/tomasvotava/fastapi-sso/pull/189).
 
 ## Support this project
 
@@ -101,6 +142,7 @@ I tend to process Pull Requests faster when properly caffeinated 😉.
 - Line (by Jimmy Yeh) - [jimmyyyeh](https://github.com/jimmyyyeh)
 - LinkedIn (by Alessandro Pischedda) - [Cereal84](https://github.com/Cereal84)
 - Yandex (by Akim Faskhutdinov) – [akimrx](https://github.com/akimrx)
+- Seznam (by Tomas Koutek) - [TomasKoutek](https://github.com/TomasKoutek)
 
 See [Contributing](#contributing) for a guide on how to contribute your own login provider.
 

{fastapi_sso-0.15.0.dist-info → fastapi_sso-0.16.0.dist-info}/RECORD

@@ -2,7 +2,7 @@ fastapi_sso/__init__.py,sha256=dGVA7UO2jDN2RAk5UlI73k1p8zEXMjUEaP7Kwq3_Gzc,1006
 fastapi_sso/pkce.py,sha256=QDqCH5f5EDmIG2MHfcAYbZJaURbl6w5IiuS6SHq89qA,792
 fastapi_sso/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 fastapi_sso/sso/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-fastapi_sso/sso/base.py,sha256=2kCS8nKgGznGK5bQ9U8xZYyhgDfT0cIB652UbM3BcXY,19295
+fastapi_sso/sso/base.py,sha256=PuxN9rEWLZ5c1WN751lFrGArVcOGipcpX43gPDbsbn8,21637
 fastapi_sso/sso/facebook.py,sha256=JaGCT2v56iRRQlnoZ5OSsB19677gyMU7U5dZTjVE_mc,1368
 fastapi_sso/sso/fitbit.py,sha256=CIqyyMDzZ0sYbZOtDNEotsoqq0Rvr5x4oP8_yWxfU7M,1301
 fastapi_sso/sso/generic.py,sha256=VBzKVc2ckpuC4XqzlXQ56eg-xK8roV-uiUc2xsVseOI,2647
@@ -15,11 +15,12 @@ fastapi_sso/sso/linkedin.py,sha256=w6zSufyUNZguxnyfn62RPXrOGp48J9jKJL4Nx4NWit0,1
 fastapi_sso/sso/microsoft.py,sha256=1RFIUeGZCVIBCr7kCvoOrt_FKcVRCrFO6boxnFpAioc,1960
 fastapi_sso/sso/naver.py,sha256=IFFGPnUR1eOsS4JpubNLqOHDaQaqekPwDIZmm0NKRao,1149
 fastapi_sso/sso/notion.py,sha256=YWGBUhN-CFTEpjIgkkEUS5JmGawyhJE57XB4Q9nFOD4,1334
+fastapi_sso/sso/seznam.py,sha256=HGI01QPBYslv_b6Lq3oTL2UWPnNLPu45y3rgTdDqxpU,1383
 fastapi_sso/sso/spotify.py,sha256=FvX2N91Bi3wgKRwdU1sWo-zA0s3wYJCiCYA05ebXweE,1244
 fastapi_sso/sso/twitter.py,sha256=1kMjFdh-OT1b5bJvY3tWfl-BRBv2hVZ6L_liLAvNML8,1249
 fastapi_sso/sso/yandex.py,sha256=8jKkh-na62lwsaBW7Pvj6VC6WlR0RMg8KrSNlr2Hj8o,1507
 fastapi_sso/state.py,sha256=9RKMrFGjeN4Ab-3var81QV-gpcBlnNy152WYbxTUGVY,300
-fastapi_sso-0.15.0.dist-info/LICENSE.md,sha256=5NVQtYs6liDtYdWM4VObWmTTKaK0k9C9txx5pLPJSyQ,1093
-fastapi_sso-0.15.0.dist-info/METADATA,sha256=5d46yWYjJGBmM6gDJ60v955NlMAmZd58nIc-Xvo5F64,5197
-fastapi_sso-0.15.0.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-fastapi_sso-0.15.0.dist-info/RECORD,,
+fastapi_sso-0.16.0.dist-info/LICENSE.md,sha256=5NVQtYs6liDtYdWM4VObWmTTKaK0k9C9txx5pLPJSyQ,1093
+fastapi_sso-0.16.0.dist-info/METADATA,sha256=VCFezbjou97uivlibCnawLjRwRZ6H_iCiRVNCSW0fl8,7038
+fastapi_sso-0.16.0.dist-info/WHEEL,sha256=Nq82e9rUAnEjt98J6MlVmMCZb-t9cYE2Ir1kpBmnWfs,88
+fastapi_sso-0.16.0.dist-info/RECORD,,

{fastapi_sso-0.15.0.dist-info → fastapi_sso-0.16.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.9.0
+Generator: poetry-core 1.9.1
 Root-Is-Purelib: true
 Tag: py3-none-any