New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG token authentication is accepted on endpoints which only allow 'session' as authentication-method #791
Comments
Thanks for the detailed issue - seems like a bug and I can see a reasonable use case to have some endpoints be session/web only (quite a few sites require web/session access to say retrieve access tokens). |
Hadn't thought that far into usecases yet, but seems reasonable. One quickfix I could think of is by checking the With the growing authentication solutions it might be preferable to fix this with a big rework. But the above could serve as a quick/temp fix. |
Thanks for your work - I have taken your PR and am working with it - hopefully get something up in the next few days. |
Thank you for picking it up. |
Yup - started with that - a big help. |
If an endpoint was decorated with "session" only - a properly submitted token would also be accepted. Fix that by checking as part of the auth_required() decorator and the user is authenticated AND was authenticated using the _user_loader (which is what flask-login calls for session based authenticated). close #791
If an endpoint was decorated with "session" only - a properly submitted token would also be accepted. Fix that by checking as part of the auth_required() decorator and the user is authenticated AND was authenticated using the _user_loader (which is what flask-login calls for session based authenticated). close #791
* Update test_common.py Added testcase for failing toke-authentication on session-only endpoint * Update conftest.py Added session-only authenticated route to test-fixture * Update decorators.py Added the `_check_session` function to specifically check session data to be used as authentication_method in the `auth_required` * Update decorators.py * Update decorators.py * fixed decorator and added tests * Fix session-only authentication. If an endpoint was decorated with "session" only - a properly submitted token would also be accepted. Fix that by checking as part of the auth_required() decorator and the user is authenticated AND was authenticated using the _user_loader (which is what flask-login calls for session based authenticated). close #791 --------- Co-authored-by: N247S <fictiefverzonnen@gmail.com>
I am messing around a bit with configurations to figure out how things work, and what to be aware of when working with flask-security.
One thing I noticed was when one authenticates using a
token
, they can access endpoints which are protected withauth_required('session')
(i.e. session-authentication only), which might not be a big problem, but goes against specs if I read it correctly.Testcase:
From what I could figure out the
loginManager.request_loader
is called prior to theauth_required
. Upon a request it tries to create a session and populates it during which process thecurrent_user
proxy is called wich calls_get_user()
which in turn callscurrent_app.login_manager._load_user()
to get the user, which in turn calls_load_user_from_request()
which is able to obtain the user from a token. This is pushed to the global-variables (g
) and is used to populate thecurrent_user
.After this chain of events is done, the
auth_required
decorator is called which for session-authentication checkscurrent_user.is_authenticated
, which is true because that user was found using the token already.This means the decorator basically allows
token
authentication to be used forsession
authentication.Again not sure if this is a big problem, but I think it goes against specs.
The version I tested this on is:
Flask 2.2.3
Flask-security-too 5.1.2 (fresh install as of 1 week ago, so I assume latest dependency versions)
If more information is needed, feel free to ask.
The text was updated successfully, but these errors were encountered: