Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Redirect/Seeother strange appends to URL #159

Open
dezza opened this Issue · 0 comments

1 participant

@dezza

I have a redirect, which appends

#_=_

to the URL everytime
*(Source at the bottom)
But I cannot reproduce this on the other "providers" (google/live) only my Facebook oauth provider logic ..

It happens on the /signup page. But only with Facebook, after receiving the OAuth callback.

I've tried probing all web.ctx vars:

http://hostname.info:8080
http://hostname.info:8080
hostname:8080
85.82.251.93
GET
/signup
http
/signup

So it doesn't show / is aware of the #= at the end (full relative path: /signup#=), so why is the redirect/seeother
append #= ? My template contains no suspicious js, or other query-
manipulating features. I use the built-in webserver while testing the app. This is where it happens, haven't tried it on other servers.

I thought it was some ending of a variable sent to my callback method, it is however not easy to locate it. I'm out of ideas as to where to locate/debug this, it's been a headache for me everytime I go to improve the app, the problem just demotivates me.

*Regards,
Christoffer Aasted
(dezza, dza, dezzadk) last alias is my gmail also. second alias is freenode IRC alias, first alias is my default user account alias.

Whole app source:

import web
#import web.webopenid
#import tweepy # Twitter API
import oauth2
import config
import json

import session
import users
# SESSIONS
web.config.debug = True
# ^ Don't work without this

# DB queries
import model

urls = (
        '/','index',

        '/callback', 'callback',

        '/signup', 'signup',
        '/login', 'login',

        # provider
        '/login/([a-zA-Z]+)', 'loginProvider', 
        '/login/created','signup',
        '/logout', 'logout',
        '/check/username', 'checkUsername',
)
app = web.application(urls, globals())

render = web.template.render('templates/', base='base')
render_plain = web.template.render('templates/')

session.add_sessions_to_app(app)
Session = session.get_session()

class index:
    def GET(self):
        return users.authenticate('dezza','yourpass')   

class callback:
    def GET(self):
       web.header("Cache-Control", "no-store, no-cache, must-revalidate")
       i = web.input()
       print '---------------------------------------'
       print i.state
       print '---------------------------------------'
       if(i.state != Session.get('state', None)):
           return 'state invalid, get banned 4 life'+i.state+'::::'+session.state
       if(Session.get('provider') == 'google'):
           token = config.googleConnection.getAccessToken(i.code)
           google_data = 'https://www.googleapis.com/oauth2/v2/userinfo'
           try:
               json_data = json.loads(oauth2.Request(google_data, token))
           except TypeError:
               json_data = {}
           Session.picture = json_data.get('picture', None)
       elif(Session.get('provider') == 'live'):
           token = config.liveConnection.getAccessToken(i.code)              
           live_data = 'https://apis.live.net/v5.0/me?access_token=%s' % token
           try:
               json_data = json.loads(oauth2.Request(live_data, token))
           except TypeError:
               json_data = {}
           Session.picture = json_data.get('picture', None)
       elif(Session.get('provider') == 'facebook'):
           token = config.fbConnection.getAccessToken(i.code)
           # Facebook does not use refresh_tokens instead:
           # https://graph.facebook.com/oauth/access_token?             
           # client_id=APP_ID&
           # client_secret=APP_SECRET&
           # grant_type=fb_exchange_token&
           # fb_exchange_token=EXISTING_ACCESS_TOKEN 
           fb_user_data = 'https://graph.facebook.com/me?access_token=%s' % token
           try:
               json_data = json.loads(oauth2.Request(fb_user_data, token))
               Session.uid = json_data['id']
           except TypeError:
               json_data = {}
       else:
           print Session.get('provider')
           return 'unknown provider'

       Session.name = json_data.get('name')
       raise web.redirect('/signup')


       # [1]
       # oauth2 object
       # .getAccessToken(code)

       # [2]
       # save access token ?

       # refresh token ?
       #if r.status == 401 or r.status == 400 and self.refresh_token is not None:
#       return i.code

class login:
    def GET(self):
        return render.login()

class loginProvider:
    def GET(self, provider): # should have "provider" like in URLs, but we only need in POST
        # TODO: CONFIG
        # Needs splitter,position

        # callback replacement
        web.header("Cache-Control", "no-store, no-cache, must-revalidate")
        if(provider == 'google'):
            conn = config.googleConnection

            redir = conn.getAuthURL(splitter='+')
            print '-----------------------------------------------------------------------------'
            print redir
            Session.state = redir.split('&')[-2].replace('state=','')
            print Session.state
            print '-----------------------------------------------------------------------------'
        elif (provider == 'facebook'):
            conn = config.fbConnection
            print web.ctx.home
            print web.ctx.homedomain
            print web.ctx.host
            print web.ctx.ip
            print web.ctx.method
            print web.ctx.path
            print web.ctx.protocol
            print web.ctx.query
            print web.ctx.fullpath

            redir = conn.getAuthURL()
            print '-----------------------------------------------------------------------------'
            print redir
            Session.state = redir.split('&')[-1].replace('state=','')
            print Session.state
            print '-----------------------------------------------------------------------------'
        elif (provider == 'live'):
            conn = config.liveConnection

            redir = conn.getAuthURL()
            Session.state = redir.split('&')[-2].replace('state=','')
        else:
          return 'provider not supported'
        #return 'ok'
        Session.provider = provider
        raise web.redirect(redir)
    def POST(self):
        return 'not exactly'

class signup:
    def GET(self):
        print web.ctx.home
        print web.ctx.homedomain
        print web.ctx.host
        print web.ctx.ip
        print web.ctx.method
        print web.ctx.path
        print web.ctx.protocol
        print web.ctx.query
        print web.ctx.fullpath
        return render.create_profile(Session)
    def POST(self):
        # TODO: Insert to DB
        return 'not exactly'

class logout:
    def GET(self):
        # TODO: Clear session & cookies
        return 'you are (not) logged out'

class checkUsername:
    def POST(self):
        i = web.input()
        result = model.getUsername(i.username)
        # TODO
        # if i.username !== ""
        if(i.username.strip(' ') == ''):
           print 'Hooray!'
           return 1
        else:
           return len(result)
        # else
        # return none

if __name__ == '__main__': app.run()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.