Skip to content
Permalink
Browse files

[oauth] Automatic management of state parameter

Ported from https://github.com/securedimensions/QGIS-OAuth2-Plugin

The Boundless Geo version of the plugin requests the state parameter to be provided by the user.
We have changed that as we think that the user must not be responsible for providing that,
as a duplication of a state parameter could lead to unintentional errors.
The Testbed 13 version generates the state parameter automatically for each authorization
request to the Authorization Server and checks the value from the redirect to ensure no CSRF attacks.
  • Loading branch information
elpaso committed Jul 17, 2018
1 parent 3d20cfe commit 2e88dd533ee9b9738840c309574ad5b639cfb953
@@ -44,7 +44,6 @@ QgsAuthOAuth2Config::QgsAuthOAuth2Config( QObject *parent )
connect( this, &QgsAuthOAuth2Config::usernameChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::passwordChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::scopeChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::stateChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::apiKeyChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::persistTokenChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::accessMethodChanged, this, &QgsAuthOAuth2Config::configChanged );
@@ -187,14 +186,6 @@ void QgsAuthOAuth2Config::setScope( const QString &value )
emit scopeChanged( mScope );
}

void QgsAuthOAuth2Config::setState( const QString &value )
{
QString preval( mState );
mState = value;
if ( preval != value )
emit stateChanged( mState );
}

void QgsAuthOAuth2Config::setApiKey( const QString &value )
{
QString preval( mApiKey );
@@ -253,7 +244,6 @@ void QgsAuthOAuth2Config::setToDefaults()
setUsername( QString() );
setPassword( QString() );
setScope( QString() );
setState( QString() );
setApiKey( QString() );
setPersistToken( false );
setAccessMethod( QgsAuthOAuth2Config::Header );
@@ -278,7 +268,6 @@ bool QgsAuthOAuth2Config::operator==( const QgsAuthOAuth2Config &other ) const
&& other.username() == this->username()
&& other.password() == this->password()
&& other.scope() == this->scope()
&& other.state() == this->state()
&& other.apiKey() == this->apiKey()
&& other.persistToken() == this->persistToken()
&& other.accessMethod() == this->accessMethod()
@@ -410,7 +399,6 @@ QVariantMap QgsAuthOAuth2Config::mappedProperties() const
vmap.insert( QStringLiteral( "requestTimeout" ), this->requestTimeout() );
vmap.insert( QStringLiteral( "requestUrl" ), this->requestUrl() );
vmap.insert( QStringLiteral( "scope" ), this->scope() );
vmap.insert( QStringLiteral( "state" ), this->state() );
vmap.insert( QStringLiteral( "tokenUrl" ), this->tokenUrl() );
vmap.insert( QStringLiteral( "username" ), this->username() );
vmap.insert( QStringLiteral( "version" ), this->version() );
@@ -50,7 +50,6 @@ class QgsAuthOAuth2Config : public QObject
Q_PROPERTY( QString username READ username WRITE setUsername NOTIFY usernameChanged )
Q_PROPERTY( QString password READ password WRITE setPassword NOTIFY passwordChanged )
Q_PROPERTY( QString scope READ scope WRITE setScope NOTIFY scopeChanged )
Q_PROPERTY( QString state READ state WRITE setState NOTIFY stateChanged )
Q_PROPERTY( QString apiKey READ apiKey WRITE setApiKey NOTIFY apiKeyChanged )
Q_PROPERTY( bool persistToken READ persistToken WRITE setPersistToken NOTIFY persistTokenChanged )
Q_PROPERTY( AccessMethod accessMethod READ accessMethod WRITE setAccessMethod NOTIFY accessMethodChanged )
@@ -139,9 +138,6 @@ class QgsAuthOAuth2Config : public QObject
//! Scope of authentication
QString scope() const { return mScope; }

//! State passed with request
QString state() const { return mState; }

//! API key
QString apiKey() const { return mApiKey; }

@@ -282,8 +278,6 @@ class QgsAuthOAuth2Config : public QObject
void setPassword( const QString &value );
//! Set scope to \a value
void setScope( const QString &value );
//! Set state to \a value
void setState( const QString &value );
//! Set api key to \a value
void setApiKey( const QString &value );
// advanced
@@ -335,8 +329,6 @@ class QgsAuthOAuth2Config : public QObject
void passwordChanged( const QString & );
//! Emitted when configuration scope has changed
void scopeChanged( const QString & );
//! Emitted when configuration state has changed
void stateChanged( const QString & );
//! Emitted when configuration API key has changed
void apiKeyChanged( const QString & );

@@ -369,7 +361,6 @@ class QgsAuthOAuth2Config : public QObject
QString mUsername;
QString mPassword;
QString mScope;
QString mState;
QString mApiKey;
bool mPersistToken = false;
AccessMethod mAccessMethod = AccessMethod::Header;
@@ -161,7 +161,6 @@ void QgsAuthOAuth2Edit::setupConnections()
connect( leUsername, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setUsername );
connect( lePassword, &QgsPasswordLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setPassword );
connect( leScope, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setScope );
connect( leState, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setState );
connect( leApiKey, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setApiKey );
connect( chkbxTokenPersist, &QCheckBox::toggled, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setPersistToken );
connect( cmbbxAccessMethod, static_cast<void ( QComboBox::* )( int )>( &QComboBox::currentIndexChanged ),
@@ -380,7 +379,6 @@ void QgsAuthOAuth2Edit::loadFromOAuthConfig( const QgsAuthOAuth2Config *config )
leUsername->setText( config->username() );
lePassword->setText( config->password() );
leScope->setText( config->scope() );
leState->setText( config->state() );
leApiKey->setText( config->apiKey() );

// advanced

0 comments on commit 2e88dd5

Please sign in to comment.
You can’t perform that action at this time.