fastapi-sso 0.18.0__py3-none-any.whl → 0.19.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- fastapi_sso/sso/base.py +10 -0
- {fastapi_sso-0.18.0.dist-info → fastapi_sso-0.19.0.dist-info}/METADATA +14 -2
- {fastapi_sso-0.18.0.dist-info → fastapi_sso-0.19.0.dist-info}/RECORD +5 -5
- {fastapi_sso-0.18.0.dist-info → fastapi_sso-0.19.0.dist-info}/WHEEL +1 -1
- {fastapi_sso-0.18.0.dist-info → fastapi_sso-0.19.0.dist-info/licenses}/LICENSE.md +0 -0
fastapi_sso/sso/base.py
CHANGED
|
@@ -341,6 +341,8 @@ class SSOBase:
|
|
|
341
341
|
response = RedirectResponse(login_uri, 303)
|
|
342
342
|
if self.uses_pkce:
|
|
343
343
|
response.set_cookie("pkce_code_verifier", str(self._pkce_code_verifier))
|
|
344
|
+
if state is not None:
|
|
345
|
+
response.set_cookie("sso_state", state)
|
|
344
346
|
return response
|
|
345
347
|
|
|
346
348
|
@overload
|
|
@@ -402,6 +404,14 @@ class SSOBase:
|
|
|
402
404
|
)
|
|
403
405
|
raise SSOLoginError(400, "'code' parameter was not found in callback request")
|
|
404
406
|
self._state = request.query_params.get("state")
|
|
407
|
+
if self._state is None and self.requires_state:
|
|
408
|
+
raise SSOLoginError(400, "'state' parameter was not found in callback request")
|
|
409
|
+
if self._state is not None:
|
|
410
|
+
sso_state = request.cookies.get("sso_state")
|
|
411
|
+
if sso_state is None and self.requires_state:
|
|
412
|
+
raise SSOLoginError(401, "State cookie not found")
|
|
413
|
+
if sso_state is not None and sso_state != self._state:
|
|
414
|
+
raise SSOLoginError(401, "Invalid state")
|
|
405
415
|
pkce_code_verifier: Optional[str] = None
|
|
406
416
|
if self.uses_pkce:
|
|
407
417
|
pkce_code_verifier = request.cookies.get("pkce_code_verifier")
|
|
@@ -1,8 +1,9 @@
|
|
|
1
|
-
Metadata-Version: 2.
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
2
|
Name: fastapi-sso
|
|
3
|
-
Version: 0.
|
|
3
|
+
Version: 0.19.0
|
|
4
4
|
Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
|
|
5
5
|
License: MIT
|
|
6
|
+
License-File: LICENSE.md
|
|
6
7
|
Keywords: fastapi,sso,oauth,google,facebook,spotify,linkedin
|
|
7
8
|
Author: Tomas Votava
|
|
8
9
|
Author-email: info@tomasvotava.eu
|
|
@@ -14,6 +15,7 @@ Classifier: Programming Language :: Python :: 3.10
|
|
|
14
15
|
Classifier: Programming Language :: Python :: 3.11
|
|
15
16
|
Classifier: Programming Language :: Python :: 3.12
|
|
16
17
|
Classifier: Programming Language :: Python :: 3.13
|
|
18
|
+
Classifier: Programming Language :: Python :: 3.14
|
|
17
19
|
Requires-Dist: fastapi (>=0.80)
|
|
18
20
|
Requires-Dist: httpx (>=0.23.0)
|
|
19
21
|
Requires-Dist: oauthlib (>=3.1.0)
|
|
@@ -73,6 +75,16 @@ by [@parikls](https://github.com/parikls).
|
|
|
73
75
|
This issue was reported in [#186](https://github.com/tomasvotava/fastapi-sso/issues/186) and has been resolved
|
|
74
76
|
in version `0.16.0`.
|
|
75
77
|
|
|
78
|
+
### Version `0.19.0` Update: OAuth `state` Validation Fix
|
|
79
|
+
|
|
80
|
+
A critical OAuth login CSRF vulnerability caused by missing `state` validation was
|
|
81
|
+
reported by [@davidbors-snyk](https://github.com/davidbors-snyk) (Snyk Security Labs)
|
|
82
|
+
in [#266](https://github.com/tomasvotava/fastapi-sso/issues/266) and has been resolved
|
|
83
|
+
in version `0.19.0`.
|
|
84
|
+
|
|
85
|
+
Starting with `fastapi-sso==1.0.0`, OAuth `state` will be backed by a pluggable server-side store
|
|
86
|
+
(in-memory by default, with support for external stores such as `Redis`).
|
|
87
|
+
|
|
76
88
|
**Details of the Fix:**
|
|
77
89
|
|
|
78
90
|
The bug was mitigated by introducing an async lock mechanism that ensures only one user can attempt the login
|
|
@@ -2,7 +2,7 @@ fastapi_sso/__init__.py,sha256=2xdjBYKS18YTwHRsOCTibfL9xRxBZLVe03waEiMVNhg,1120
|
|
|
2
2
|
fastapi_sso/pkce.py,sha256=DhxoJrBIUxDlhAmy5tAoSIBts1WsyQ5KGqLbvDQER1w,767
|
|
3
3
|
fastapi_sso/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
4
4
|
fastapi_sso/sso/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
5
|
-
fastapi_sso/sso/base.py,sha256=
|
|
5
|
+
fastapi_sso/sso/base.py,sha256=juAQMbXJ19-EnbtkWP2bIBhRUrX6vbzdV_eKBicMh0o,23249
|
|
6
6
|
fastapi_sso/sso/bitbucket.py,sha256=pqMBDNhVR5rqda3yq5HCXsJzBFZBH2Df6SMIve6btYY,2109
|
|
7
7
|
fastapi_sso/sso/discord.py,sha256=iJzR17XyPq8YJWwht083yPyCrEtLOHD3E1HGxDSgUtQ,1786
|
|
8
8
|
fastapi_sso/sso/facebook.py,sha256=JaGCT2v56iRRQlnoZ5OSsB19677gyMU7U5dZTjVE_mc,1368
|
|
@@ -22,7 +22,7 @@ fastapi_sso/sso/spotify.py,sha256=FvX2N91Bi3wgKRwdU1sWo-zA0s3wYJCiCYA05ebXweE,12
|
|
|
22
22
|
fastapi_sso/sso/twitter.py,sha256=1kMjFdh-OT1b5bJvY3tWfl-BRBv2hVZ6L_liLAvNML8,1249
|
|
23
23
|
fastapi_sso/sso/yandex.py,sha256=8jKkh-na62lwsaBW7Pvj6VC6WlR0RMg8KrSNlr2Hj8o,1507
|
|
24
24
|
fastapi_sso/state.py,sha256=9RKMrFGjeN4Ab-3var81QV-gpcBlnNy152WYbxTUGVY,300
|
|
25
|
-
fastapi_sso-0.
|
|
26
|
-
fastapi_sso-0.
|
|
27
|
-
fastapi_sso-0.
|
|
28
|
-
fastapi_sso-0.
|
|
25
|
+
fastapi_sso-0.19.0.dist-info/METADATA,sha256=epJN5NOtoDaKbSvX29GCY3OF71tFb4VXUcJeDA5kz0E,7771
|
|
26
|
+
fastapi_sso-0.19.0.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
|
|
27
|
+
fastapi_sso-0.19.0.dist-info/licenses/LICENSE.md,sha256=5NVQtYs6liDtYdWM4VObWmTTKaK0k9C9txx5pLPJSyQ,1093
|
|
28
|
+
fastapi_sso-0.19.0.dist-info/RECORD,,
|
|
File without changes
|