diff options
author | Magnus Hagander | 2013-06-20 13:21:02 +0000 |
---|---|---|
committer | Magnus Hagander | 2013-06-20 13:21:02 +0000 |
commit | 0d49984a601b08fb25ebfa0a2f7ee2e75b663909 (patch) | |
tree | 0e843fad71b3428818bf06a3d739036408fae9df /postgresqleu/auth.py | |
parent | 8373ecfaa5de1a1d2afe0fc73f8b1b8a8bfe1045 (diff) |
Update community authentication to use encrypted parameters for redirection
Diffstat (limited to 'postgresqleu/auth.py')
-rw-r--r-- | postgresqleu/auth.py | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/postgresqleu/auth.py b/postgresqleu/auth.py index c3118d51..3f750b4a 100644 --- a/postgresqleu/auth.py +++ b/postgresqleu/auth.py @@ -27,8 +27,10 @@ from django.conf import settings import base64 import urlparse -from urllib import quote_plus +import urllib from Crypto.Cipher import AES +from Crypto.Hash import SHA +from Crypto import Random import time class AuthBackend(ModelBackend): @@ -45,9 +47,20 @@ class AuthBackend(ModelBackend): # Handle login requests by sending them off to the main site def login(request): if request.GET.has_key('next'): - return HttpResponseRedirect("%s?su=%s" % ( + # Put together an url-encoded dict of parameters we're getting back, + # including a small nonce at the beginning to make sure it doesn't + # encrypt the same way every time. + s = "t=%s&%s" % (int(time.time()), urllib.urlencode({'r': request.GET['next']})) + # Now encrypt it + r = Random.new() + iv = r.read(16) + encryptor = AES.new(SHA.new(settings.SECRET_KEY).digest()[:16], AES.MODE_CBC, iv) + cipher = encryptor.encrypt(s + ' ' * (16-(len(s) % 16))) # pad to 16 bytes + + return HttpResponseRedirect("%s?d=%s$%s" % ( settings.PGAUTH_REDIRECT, - quote_plus(request.GET['next']), + base64.b64encode(iv, "-_"), + base64.b64encode(cipher, "-_"), )) else: return HttpResponseRedirect(settings.PGAUTH_REDIRECT) @@ -119,9 +132,21 @@ def auth_receive(request): user.backend = "%s.%s" % (AuthBackend.__module__, AuthBackend.__name__) django_login(request, user) - # Finally, redirect the user - if data.has_key('su'): - return HttpResponseRedirect(data['su'][0]) + # Finally, check of we have a data package that tells us where to + # redirect the user. + if data.has_key('d'): + (ivs, datas) = data['d'][0].split('$') + decryptor = AES.new(SHA.new(settings.SECRET_KEY).digest()[:16], + AES.MODE_CBC, + base64.b64decode(ivs, "-_")) + s = decryptor.decrypt(base64.b64decode(datas, "-_")).rstrip(' ') + try: + rdata = urlparse.parse_qs(s, strict_parsing=True) + except ValueError, e: + raise Exception("Invalid encrypted data received.") + if rdata.has_key('r'): + # Redirect address + return HttpResponseRedirect(rdata['r'][0]) # No redirect specified, see if we have it in our settings if hasattr(settings, 'PGAUTH_REDIRECT_SUCCESS'): return HttpResponseRedirect(settings.PGAUTH_REDIRECT_SUCCESS) |