fastapi-sso 0.18.0__tar.gz → 0.19.0__tar.gz

{fastapi_sso-0.18.0 → fastapi_sso-0.19.0}/PKG-INFO

@@ -1,8 +1,9 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: fastapi-sso
-Version: 0.18.0
+Version: 0.19.0
 Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
 License: MIT
+License-File: LICENSE.md
 Keywords: fastapi,sso,oauth,google,facebook,spotify,linkedin
 Author: Tomas Votava
 Author-email: info@tomasvotava.eu
@@ -14,6 +15,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Requires-Dist: fastapi (>=0.80)
 Requires-Dist: httpx (>=0.23.0)
 Requires-Dist: oauthlib (>=3.1.0)
@@ -73,6 +75,16 @@ by [@parikls](https://github.com/parikls).
 This issue was reported in [#186](https://github.com/tomasvotava/fastapi-sso/issues/186) and has been resolved
 in version `0.16.0`.
 
+### Version `0.19.0` Update: OAuth `state` Validation Fix
+
+A critical OAuth login CSRF vulnerability caused by missing `state` validation was
+reported by [@davidbors-snyk](https://github.com/davidbors-snyk) (Snyk Security Labs)
+in [#266](https://github.com/tomasvotava/fastapi-sso/issues/266) and has been resolved
+in version `0.19.0`.
+
+Starting with `fastapi-sso==1.0.0`, OAuth `state` will be backed by a pluggable server-side store
+(in-memory by default, with support for external stores such as `Redis`).
+
 **Details of the Fix:**
 
 The bug was mitigated by introducing an async lock mechanism that ensures only one user can attempt the login

{fastapi_sso-0.18.0 → fastapi_sso-0.19.0}/README.md

@@ -46,6 +46,16 @@ by [@parikls](https://github.com/parikls).
 This issue was reported in [#186](https://github.com/tomasvotava/fastapi-sso/issues/186) and has been resolved
 in version `0.16.0`.
 
+### Version `0.19.0` Update: OAuth `state` Validation Fix
+
+A critical OAuth login CSRF vulnerability caused by missing `state` validation was
+reported by [@davidbors-snyk](https://github.com/davidbors-snyk) (Snyk Security Labs)
+in [#266](https://github.com/tomasvotava/fastapi-sso/issues/266) and has been resolved
+in version `0.19.0`.
+
+Starting with `fastapi-sso==1.0.0`, OAuth `state` will be backed by a pluggable server-side store
+(in-memory by default, with support for external stores such as `Redis`).
+
 **Details of the Fix:**
 
 The bug was mitigated by introducing an async lock mechanism that ensures only one user can attempt the login

{fastapi_sso-0.18.0 → fastapi_sso-0.19.0}/fastapi_sso/sso/base.py

@@ -341,6 +341,8 @@ class SSOBase:
         response = RedirectResponse(login_uri, 303)
         if self.uses_pkce:
             response.set_cookie("pkce_code_verifier", str(self._pkce_code_verifier))
+        if state is not None:
+            response.set_cookie("sso_state", state)
         return response
 
     @overload
@@ -402,6 +404,14 @@ class SSOBase:
             )
             raise SSOLoginError(400, "'code' parameter was not found in callback request")
         self._state = request.query_params.get("state")
+        if self._state is None and self.requires_state:
+            raise SSOLoginError(400, "'state' parameter was not found in callback request")
+        if self._state is not None:
+            sso_state = request.cookies.get("sso_state")
+            if sso_state is None and self.requires_state:
+                raise SSOLoginError(401, "State cookie not found")
+            if sso_state is not None and sso_state != self._state:
+                raise SSOLoginError(401, "Invalid state")
         pkce_code_verifier: Optional[str] = None
         if self.uses_pkce:
             pkce_code_verifier = request.cookies.get("pkce_code_verifier")

{fastapi_sso-0.18.0 → fastapi_sso-0.19.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "fastapi-sso"
-version = "0.18.0"
+version = "0.19.0"
 description = "FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)"
 authors = ["Tomas Votava <info@tomasvotava.eu>"]
 readme = "README.md"
@@ -92,18 +92,18 @@ docs = "mkdocs build --clean"
 
 [tool.poetry.group.dev.dependencies]
 black = ">=23.7.0"
-isort = "^5"
+isort = ">=5,<7"
 markdown-include = "^0.8.1"
 mkdocs-material = { extras = ["imaging"], version = "^9.3.2" }
-mkdocstrings = { extras = ["python"], version = ">=0.23,<0.27" }
+mkdocstrings = { extras = ["python"], version = ">=0.23,<0.31" }
 mypy = "^1"
-poethepoet = ">=0.21.1,<0.31.0"
-pre-commit = "^3"
+poethepoet = ">=0.21.1,<0.38.0"
+pre-commit = ">=3,<5"
 pytest = ">=7,<9"
-pytest-asyncio = "^0.24"
-pytest-cov = ">=4,<6"
+pytest-asyncio = ">=0.24,<1.3"
+pytest-cov = ">=4,<8"
 uvicorn = ">=0.23.1"
-ruff = ">=0.4.2,<0.12.0"
+ruff = ">=0.4.2,<0.15.0"
 
 [tool.poetry.dependencies]
 fastapi = ">=0.80"