fastapi-sso 0.18.0__py3-none-any.whl → 0.20.0__py3-none-any.whl

fastapi_sso/__init__.py

@@ -18,6 +18,7 @@ from .sso.linkedin import LinkedInSSO
 from .sso.microsoft import MicrosoftSSO
 from .sso.naver import NaverSSO
 from .sso.notion import NotionSSO
+from .sso.soundcloud import SoundcloudSSO
 from .sso.spotify import SpotifySSO
 from .sso.twitter import TwitterSSO
 
@@ -38,6 +39,7 @@ __all__ = [
     "OpenID",
     "SSOBase",
     "SSOLoginError",
+    "SoundcloudSSO",
     "SpotifySSO",
     "TwitterSSO",
     "create_provider",

fastapi_sso/sso/base.py

@@ -341,6 +341,8 @@ class SSOBase:
         response = RedirectResponse(login_uri, 303)
         if self.uses_pkce:
             response.set_cookie("pkce_code_verifier", str(self._pkce_code_verifier))
+        if state is not None:
+            response.set_cookie("sso_state", state)
         return response
 
     @overload
@@ -402,6 +404,14 @@ class SSOBase:
             )
             raise SSOLoginError(400, "'code' parameter was not found in callback request")
         self._state = request.query_params.get("state")
+        if self._state is None and self.requires_state:
+            raise SSOLoginError(400, "'state' parameter was not found in callback request")
+        if self._state is not None:
+            sso_state = request.cookies.get("sso_state")
+            if sso_state is None and self.requires_state:
+                raise SSOLoginError(401, "State cookie not found")
+            if sso_state is not None and sso_state != self._state:
+                raise SSOLoginError(401, "Invalid state")
         pkce_code_verifier: Optional[str] = None
         if self.uses_pkce:
             pkce_code_verifier = request.cookies.get("pkce_code_verifier")

fastapi_sso/sso/kakao.py

@@ -15,6 +15,10 @@ class KakaoSSO(SSOBase):
     scop: ClassVar = ["openid"]
     version = "v2"
 
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         return {
             "authorization_endpoint": "https://kauth.kakao.com/oauth/authorize",

fastapi_sso/sso/naver.py

@@ -15,6 +15,10 @@ class NaverSSO(SSOBase):
     scope: ClassVar[list[str]] = []
     additional_headers: ClassVar = {"accept": "application/json"}
 
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         return {
             "authorization_endpoint": "https://nid.naver.com/oauth2.0/authorize",

fastapi_sso/sso/seznam.py

@@ -18,6 +18,10 @@ class SeznamSSO(SSOBase):
     base_url = "https://login.szn.cz/api/v1"
     scope: ClassVar = ["identity", "avatar"]  # + ["contact-phone", "adulthood", "birthday", "gender"]
 
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         """Get document containing handy urls."""
         return {

fastapi_sso/sso/soundcloud.py

@@ -0,0 +1,38 @@
+"""Soundcloud SSO Login Helper."""
+
+from typing import TYPE_CHECKING, ClassVar, Optional
+
+from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
+
+if TYPE_CHECKING:
+    import httpx  # pragma: no cover
+
+
+class SoundcloudSSO(SSOBase):
+    """Class providing login via Soundcloud OAuth."""
+
+    provider = "soundcloud"
+    scope: ClassVar = ["openid"]
+
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
+    async def get_discovery_document(self) -> DiscoveryDocument:
+        """Get document containing handy urls."""
+        return {
+            "authorization_endpoint": "https://secure.soundcloud.com/authorize",
+            "token_endpoint": "https://secure.soundcloud.com/oauth/token",
+            "userinfo_endpoint": "https://api.soundcloud.com/me",
+        }
+
+    async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        """Return OpenID from user information provided by Soundcloud."""
+        return OpenID(
+            id=str(response.get("id")),
+            first_name=response.get("first_name"),
+            last_name=response.get("last_name"),
+            display_name=response.get("username"),
+            picture=response.get("avatar_url"),
+            provider=self.provider,
+        )

{fastapi_sso-0.18.0.dist-info → fastapi_sso-0.20.0.dist-info}/METADATA

@@ -1,8 +1,9 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: fastapi-sso
-Version: 0.18.0
+Version: 0.20.0
 Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
 License: MIT
+License-File: LICENSE.md
 Keywords: fastapi,sso,oauth,google,facebook,spotify,linkedin
 Author: Tomas Votava
 Author-email: info@tomasvotava.eu
@@ -14,6 +15,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Requires-Dist: fastapi (>=0.80)
 Requires-Dist: httpx (>=0.23.0)
 Requires-Dist: oauthlib (>=3.1.0)
@@ -65,6 +67,16 @@ Quick links for the eager ones:
 
 ## Security Notice
 
+### Version `0.19.0` Update: OAuth `state` Validation Fix
+
+A critical OAuth login CSRF vulnerability caused by missing `state` validation was
+reported by [@davidbors-snyk](https://github.com/davidbors-snyk) (Snyk Security Labs)
+in [#266](https://github.com/tomasvotava/fastapi-sso/issues/266) and has been resolved
+in version `0.19.0`.
+
+Starting with `fastapi-sso==1.0.0`, OAuth `state` will be backed by a pluggable server-side store
+(in-memory by default, with support for external stores such as `Redis`).
+
 ### Version `0.16.0` Update: Race Condition Bug Fix & Context Manager Change
 
 A race condition bug in the login flow that could, in rare cases, allow one user
@@ -145,6 +157,7 @@ I tend to process Pull Requests faster when properly caffeinated 😉.
 - Seznam (by Tomas Koutek) - [TomasKoutek](https://github.com/TomasKoutek)
 - Discord (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
 - Bitbucket (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
+- Soundcloud (by John) - [john-9474](https://github.com/john-9474)
 
 See [Contributing](#contributing) for a guide on how to contribute your own login provider.
 

{fastapi_sso-0.18.0.dist-info → fastapi_sso-0.20.0.dist-info}/RECORD

@@ -1,8 +1,8 @@
-fastapi_sso/__init__.py,sha256=2xdjBYKS18YTwHRsOCTibfL9xRxBZLVe03waEiMVNhg,1120
+fastapi_sso/__init__.py,sha256=erTb2pUMF0QR0VsmHhUX1HsbAVm0ZToXAeIq-7vJxkQ,1183
 fastapi_sso/pkce.py,sha256=DhxoJrBIUxDlhAmy5tAoSIBts1WsyQ5KGqLbvDQER1w,767
 fastapi_sso/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 fastapi_sso/sso/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-fastapi_sso/sso/base.py,sha256=s3SBUfjZcP17sIhVLK8pV1BK65zjt18nlC_g36FmGLw,22676
+fastapi_sso/sso/base.py,sha256=juAQMbXJ19-EnbtkWP2bIBhRUrX6vbzdV_eKBicMh0o,23249
 fastapi_sso/sso/bitbucket.py,sha256=pqMBDNhVR5rqda3yq5HCXsJzBFZBH2Df6SMIve6btYY,2109
 fastapi_sso/sso/discord.py,sha256=iJzR17XyPq8YJWwht083yPyCrEtLOHD3E1HGxDSgUtQ,1786
 fastapi_sso/sso/facebook.py,sha256=JaGCT2v56iRRQlnoZ5OSsB19677gyMU7U5dZTjVE_mc,1368
@@ -11,18 +11,19 @@ fastapi_sso/sso/generic.py,sha256=I3qvR1pwNuxJG2GbDcjIvnNdnYO4tD8NAiLz2H-Bj5E,26
 fastapi_sso/sso/github.py,sha256=Ol0W6vjmErY8M9XlMCH9nbKsnZfXeOClDNx3oUX52_c,1754
 fastapi_sso/sso/gitlab.py,sha256=EA-1p2Iklh5W-TrBhCFAeupxuUZJ4RPMNKRfUS5fq6U,2701
 fastapi_sso/sso/google.py,sha256=LIBV-nEoH2CTJCpINVu7jEfPqRlPQCAPSWK4MKBgsM0,1399
-fastapi_sso/sso/kakao.py,sha256=qcsNUXbVTdyb_0V2CHTqplG82ftbnJ1uMB_GenEaiG0,905
+fastapi_sso/sso/kakao.py,sha256=MeKSW6t-o-x2JajW71FeJGT_MmYYcWpn03cURjJA7XA,1016
 fastapi_sso/sso/line.py,sha256=F6XmXO5RBllGV5U0mhujEiJ4GsZKwzoabLfi-l54lwM,1233
 fastapi_sso/sso/linkedin.py,sha256=ju5evL8SR_-AjbLT2zUjliXlFARRxBpdP1EGsLKeBl0,1525
 fastapi_sso/sso/microsoft.py,sha256=xFA3ngVz6JS9Eg5zIQfYR6TnJuR1ZLOLGXOSbEbJCJE,1954
-fastapi_sso/sso/naver.py,sha256=mMiHfHlpdamAJ-O7BmagtJGCeQIlptGDI-jot1O4RVc,1143
+fastapi_sso/sso/naver.py,sha256=snBtYMJEbCxsAjRYObmj899D75ogPPPOh5n9AmHwHjo,1254
 fastapi_sso/sso/notion.py,sha256=YWGBUhN-CFTEpjIgkkEUS5JmGawyhJE57XB4Q9nFOD4,1334
-fastapi_sso/sso/seznam.py,sha256=HGI01QPBYslv_b6Lq3oTL2UWPnNLPu45y3rgTdDqxpU,1383
+fastapi_sso/sso/seznam.py,sha256=c15JNxdIGJOLXJS_4-vA42rb6MazlQKL1oclQ536MsQ,1494
+fastapi_sso/sso/soundcloud.py,sha256=y7EpNUslTep60hfl0Pk_NE1-qAvKbvocEAYxofLSABM,1336
 fastapi_sso/sso/spotify.py,sha256=FvX2N91Bi3wgKRwdU1sWo-zA0s3wYJCiCYA05ebXweE,1244
 fastapi_sso/sso/twitter.py,sha256=1kMjFdh-OT1b5bJvY3tWfl-BRBv2hVZ6L_liLAvNML8,1249
 fastapi_sso/sso/yandex.py,sha256=8jKkh-na62lwsaBW7Pvj6VC6WlR0RMg8KrSNlr2Hj8o,1507
 fastapi_sso/state.py,sha256=9RKMrFGjeN4Ab-3var81QV-gpcBlnNy152WYbxTUGVY,300
-fastapi_sso-0.18.0.dist-info/LICENSE.md,sha256=5NVQtYs6liDtYdWM4VObWmTTKaK0k9C9txx5pLPJSyQ,1093
-fastapi_sso-0.18.0.dist-info/METADATA,sha256=5E3Hn1f4FDZOHR5rRAJQ37o6Uevv3G9G97ae1FOLLKo,7185
-fastapi_sso-0.18.0.dist-info/WHEEL,sha256=XbeZDeTWKc1w7CSIyre5aMDU_-PohRwTQceYnisIYYY,88
-fastapi_sso-0.18.0.dist-info/RECORD,,
+fastapi_sso-0.20.0.dist-info/METADATA,sha256=YBESyXezOtH2-ZJz8-YpUWuNUXTe7kFa4-9w3hbMkZ0,7838
+fastapi_sso-0.20.0.dist-info/WHEEL,sha256=kJCRJT_g0adfAJzTx2GUMmS80rTJIVHRCfG0DQgLq3o,88
+fastapi_sso-0.20.0.dist-info/licenses/LICENSE.md,sha256=5NVQtYs6liDtYdWM4VObWmTTKaK0k9C9txx5pLPJSyQ,1093
+fastapi_sso-0.20.0.dist-info/RECORD,,

{fastapi_sso-0.18.0.dist-info → fastapi_sso-0.20.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 2.1.1
+Generator: poetry-core 2.3.1
 Root-Is-Purelib: true
 Tag: py3-none-any