fastapi-sso 0.18.0__tar.gz → 0.20.0__tar.gz

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/PKG-INFO

@@ -1,8 +1,9 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: fastapi-sso
-Version: 0.18.0
+Version: 0.20.0
 Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
 License: MIT
+License-File: LICENSE.md
 Keywords: fastapi,sso,oauth,google,facebook,spotify,linkedin
 Author: Tomas Votava
 Author-email: info@tomasvotava.eu
@@ -14,6 +15,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Requires-Dist: fastapi (>=0.80)
 Requires-Dist: httpx (>=0.23.0)
 Requires-Dist: oauthlib (>=3.1.0)
@@ -65,6 +67,16 @@ Quick links for the eager ones:
 
 ## Security Notice
 
+### Version `0.19.0` Update: OAuth `state` Validation Fix
+
+A critical OAuth login CSRF vulnerability caused by missing `state` validation was
+reported by [@davidbors-snyk](https://github.com/davidbors-snyk) (Snyk Security Labs)
+in [#266](https://github.com/tomasvotava/fastapi-sso/issues/266) and has been resolved
+in version `0.19.0`.
+
+Starting with `fastapi-sso==1.0.0`, OAuth `state` will be backed by a pluggable server-side store
+(in-memory by default, with support for external stores such as `Redis`).
+
 ### Version `0.16.0` Update: Race Condition Bug Fix & Context Manager Change
 
 A race condition bug in the login flow that could, in rare cases, allow one user
@@ -145,6 +157,7 @@ I tend to process Pull Requests faster when properly caffeinated 😉.
 - Seznam (by Tomas Koutek) - [TomasKoutek](https://github.com/TomasKoutek)
 - Discord (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
 - Bitbucket (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
+- Soundcloud (by John) - [john-9474](https://github.com/john-9474)
 
 See [Contributing](#contributing) for a guide on how to contribute your own login provider.
 

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/README.md

@@ -38,6 +38,16 @@ Quick links for the eager ones:
 
 ## Security Notice
 
+### Version `0.19.0` Update: OAuth `state` Validation Fix
+
+A critical OAuth login CSRF vulnerability caused by missing `state` validation was
+reported by [@davidbors-snyk](https://github.com/davidbors-snyk) (Snyk Security Labs)
+in [#266](https://github.com/tomasvotava/fastapi-sso/issues/266) and has been resolved
+in version `0.19.0`.
+
+Starting with `fastapi-sso==1.0.0`, OAuth `state` will be backed by a pluggable server-side store
+(in-memory by default, with support for external stores such as `Redis`).
+
 ### Version `0.16.0` Update: Race Condition Bug Fix & Context Manager Change
 
 A race condition bug in the login flow that could, in rare cases, allow one user
@@ -118,6 +128,7 @@ I tend to process Pull Requests faster when properly caffeinated 😉.
 - Seznam (by Tomas Koutek) - [TomasKoutek](https://github.com/TomasKoutek)
 - Discord (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
 - Bitbucket (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
+- Soundcloud (by John) - [john-9474](https://github.com/john-9474)
 
 See [Contributing](#contributing) for a guide on how to contribute your own login provider.
 

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/fastapi_sso/__init__.py

@@ -18,6 +18,7 @@ from .sso.linkedin import LinkedInSSO
 from .sso.microsoft import MicrosoftSSO
 from .sso.naver import NaverSSO
 from .sso.notion import NotionSSO
+from .sso.soundcloud import SoundcloudSSO
 from .sso.spotify import SpotifySSO
 from .sso.twitter import TwitterSSO
 
@@ -38,6 +39,7 @@ __all__ = [
     "OpenID",
     "SSOBase",
     "SSOLoginError",
+    "SoundcloudSSO",
     "SpotifySSO",
     "TwitterSSO",
     "create_provider",

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/fastapi_sso/sso/base.py

@@ -341,6 +341,8 @@ class SSOBase:
         response = RedirectResponse(login_uri, 303)
         if self.uses_pkce:
             response.set_cookie("pkce_code_verifier", str(self._pkce_code_verifier))
+        if state is not None:
+            response.set_cookie("sso_state", state)
         return response
 
     @overload
@@ -402,6 +404,14 @@ class SSOBase:
             )
             raise SSOLoginError(400, "'code' parameter was not found in callback request")
         self._state = request.query_params.get("state")
+        if self._state is None and self.requires_state:
+            raise SSOLoginError(400, "'state' parameter was not found in callback request")
+        if self._state is not None:
+            sso_state = request.cookies.get("sso_state")
+            if sso_state is None and self.requires_state:
+                raise SSOLoginError(401, "State cookie not found")
+            if sso_state is not None and sso_state != self._state:
+                raise SSOLoginError(401, "Invalid state")
         pkce_code_verifier: Optional[str] = None
         if self.uses_pkce:
             pkce_code_verifier = request.cookies.get("pkce_code_verifier")

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/fastapi_sso/sso/kakao.py

@@ -15,6 +15,10 @@ class KakaoSSO(SSOBase):
     scop: ClassVar = ["openid"]
     version = "v2"
 
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         return {
             "authorization_endpoint": "https://kauth.kakao.com/oauth/authorize",

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/fastapi_sso/sso/naver.py

@@ -15,6 +15,10 @@ class NaverSSO(SSOBase):
     scope: ClassVar[list[str]] = []
     additional_headers: ClassVar = {"accept": "application/json"}
 
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         return {
             "authorization_endpoint": "https://nid.naver.com/oauth2.0/authorize",

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/fastapi_sso/sso/seznam.py

@@ -18,6 +18,10 @@ class SeznamSSO(SSOBase):
     base_url = "https://login.szn.cz/api/v1"
     scope: ClassVar = ["identity", "avatar"]  # + ["contact-phone", "adulthood", "birthday", "gender"]
 
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         """Get document containing handy urls."""
         return {

fastapi_sso-0.20.0/fastapi_sso/sso/soundcloud.py

@@ -0,0 +1,38 @@
+"""Soundcloud SSO Login Helper."""
+
+from typing import TYPE_CHECKING, ClassVar, Optional
+
+from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
+
+if TYPE_CHECKING:
+    import httpx  # pragma: no cover
+
+
+class SoundcloudSSO(SSOBase):
+    """Class providing login via Soundcloud OAuth."""
+
+    provider = "soundcloud"
+    scope: ClassVar = ["openid"]
+
+    @property
+    def _extra_query_params(self) -> dict:
+        return {"client_secret": self.client_secret}
+
+    async def get_discovery_document(self) -> DiscoveryDocument:
+        """Get document containing handy urls."""
+        return {
+            "authorization_endpoint": "https://secure.soundcloud.com/authorize",
+            "token_endpoint": "https://secure.soundcloud.com/oauth/token",
+            "userinfo_endpoint": "https://api.soundcloud.com/me",
+        }
+
+    async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        """Return OpenID from user information provided by Soundcloud."""
+        return OpenID(
+            id=str(response.get("id")),
+            first_name=response.get("first_name"),
+            last_name=response.get("last_name"),
+            display_name=response.get("username"),
+            picture=response.get("avatar_url"),
+            provider=self.provider,
+        )

{fastapi_sso-0.18.0 → fastapi_sso-0.20.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "fastapi-sso"
-version = "0.18.0"
+version = "0.20.0"
 description = "FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)"
 authors = ["Tomas Votava <info@tomasvotava.eu>"]
 readme = "README.md"
@@ -92,18 +92,18 @@ docs = "mkdocs build --clean"
 
 [tool.poetry.group.dev.dependencies]
 black = ">=23.7.0"
-isort = "^5"
+isort = ">=5,<7"
 markdown-include = "^0.8.1"
 mkdocs-material = { extras = ["imaging"], version = "^9.3.2" }
-mkdocstrings = { extras = ["python"], version = ">=0.23,<0.27" }
+mkdocstrings = { extras = ["python"], version = ">=0.23,<0.31" }
 mypy = "^1"
-poethepoet = ">=0.21.1,<0.31.0"
-pre-commit = "^3"
+poethepoet = ">=0.21.1,<0.38.0"
+pre-commit = ">=3,<5"
 pytest = ">=7,<9"
-pytest-asyncio = "^0.24"
-pytest-cov = ">=4,<6"
+pytest-asyncio = ">=0.24,<1.3"
+pytest-cov = ">=4,<8"
 uvicorn = ">=0.23.1"
-ruff = ">=0.4.2,<0.12.0"
+ruff = ">=0.4.2,<0.15.0"
 
 [tool.poetry.dependencies]
 fastapi = ">=0.80"