Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/auth endpoint allows specifying a push_wait parameter #1743

Closed
fredreichbier opened this issue Jul 12, 2019 · 0 comments

Comments

@fredreichbier
Copy link
Member

commented Jul 12, 2019

This is a follow-up to #1583 which introduced the push_wait policy action. This action allows to trigger a challenge and wait for the confirmation by the user in a single request to /validate/check. Internally, the policy decorator function pushtoken_wait sets a push_wait option, either to a number of seconds:

request.all_data[PUSH_ACTION.WAIT] = int(list(waiting)[0])

or False:
request.all_data[PUSH_ACTION.WAIT] = False

The push token later reads the push_wait option value to find out whether to wait for the user confirmation or not:
if options.get(PUSH_ACTION.WAIT):

As it turns out, the same code location is hit by an /auth request. But as this endpoint is not decorated with pushtoken_wait, we never explicitly set the push_wait option. As a result, the user can manually pass a push_wait option in the request body.

As the documentation explicitly states that push_wait only takes effect for /validate/check, the push_wait option should be ignored in the /auth request.

@fredreichbier fredreichbier added this to the 3.1 polishing policies milestone Jul 12, 2019

@fredreichbier fredreichbier self-assigned this Jul 12, 2019

fredreichbier added a commit that referenced this issue Jul 12, 2019

fredreichbier added a commit that referenced this issue Jul 12, 2019

fredreichbier added a commit that referenced this issue Jul 12, 2019

fredreichbier added a commit that referenced this issue Jul 30, 2019

fredreichbier added a commit that referenced this issue Jul 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.