Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[oauth] Automatic management of state parameter
Ported from https://github.com/securedimensions/QGIS-OAuth2-Plugin

The Boundless Geo version of the plugin requests the state parameter to be provided by the user.
We have changed that as we think that the user must not be responsible for providing that,
as a duplication of a state parameter could lead to unintentional errors.
The Testbed 13 version generates the state parameter automatically for each authorization
request to the Authorization Server and checks the value from the redirect to ensure no CSRF attacks.
  • Loading branch information
elpaso committed Jul 17, 2018
1 parent 3d20cfe commit 2e88dd5
Show file tree
Hide file tree
Showing 7 changed files with 346 additions and 196 deletions.
12 changes: 0 additions & 12 deletions src/auth/oauth2/qgsauthoauth2config.cpp
Expand Up @@ -44,7 +44,6 @@ QgsAuthOAuth2Config::QgsAuthOAuth2Config( QObject *parent )
connect( this, &QgsAuthOAuth2Config::usernameChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::passwordChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::scopeChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::stateChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::apiKeyChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::persistTokenChanged, this, &QgsAuthOAuth2Config::configChanged );
connect( this, &QgsAuthOAuth2Config::accessMethodChanged, this, &QgsAuthOAuth2Config::configChanged );
Expand Down Expand Up @@ -187,14 +186,6 @@ void QgsAuthOAuth2Config::setScope( const QString &value )
emit scopeChanged( mScope );
}

void QgsAuthOAuth2Config::setState( const QString &value )
{
QString preval( mState );
mState = value;
if ( preval != value )
emit stateChanged( mState );
}

void QgsAuthOAuth2Config::setApiKey( const QString &value )
{
QString preval( mApiKey );
Expand Down Expand Up @@ -253,7 +244,6 @@ void QgsAuthOAuth2Config::setToDefaults()
setUsername( QString() );
setPassword( QString() );
setScope( QString() );
setState( QString() );
setApiKey( QString() );
setPersistToken( false );
setAccessMethod( QgsAuthOAuth2Config::Header );
Expand All @@ -278,7 +268,6 @@ bool QgsAuthOAuth2Config::operator==( const QgsAuthOAuth2Config &other ) const
&& other.username() == this->username()
&& other.password() == this->password()
&& other.scope() == this->scope()
&& other.state() == this->state()
&& other.apiKey() == this->apiKey()
&& other.persistToken() == this->persistToken()
&& other.accessMethod() == this->accessMethod()
Expand Down Expand Up @@ -410,7 +399,6 @@ QVariantMap QgsAuthOAuth2Config::mappedProperties() const
vmap.insert( QStringLiteral( "requestTimeout" ), this->requestTimeout() );
vmap.insert( QStringLiteral( "requestUrl" ), this->requestUrl() );
vmap.insert( QStringLiteral( "scope" ), this->scope() );
vmap.insert( QStringLiteral( "state" ), this->state() );
vmap.insert( QStringLiteral( "tokenUrl" ), this->tokenUrl() );
vmap.insert( QStringLiteral( "username" ), this->username() );
vmap.insert( QStringLiteral( "version" ), this->version() );
Expand Down
9 changes: 0 additions & 9 deletions src/auth/oauth2/qgsauthoauth2config.h
Expand Up @@ -50,7 +50,6 @@ class QgsAuthOAuth2Config : public QObject
Q_PROPERTY( QString username READ username WRITE setUsername NOTIFY usernameChanged )
Q_PROPERTY( QString password READ password WRITE setPassword NOTIFY passwordChanged )
Q_PROPERTY( QString scope READ scope WRITE setScope NOTIFY scopeChanged )
Q_PROPERTY( QString state READ state WRITE setState NOTIFY stateChanged )
Q_PROPERTY( QString apiKey READ apiKey WRITE setApiKey NOTIFY apiKeyChanged )
Q_PROPERTY( bool persistToken READ persistToken WRITE setPersistToken NOTIFY persistTokenChanged )
Q_PROPERTY( AccessMethod accessMethod READ accessMethod WRITE setAccessMethod NOTIFY accessMethodChanged )
Expand Down Expand Up @@ -139,9 +138,6 @@ class QgsAuthOAuth2Config : public QObject
//! Scope of authentication
QString scope() const { return mScope; }

//! State passed with request
QString state() const { return mState; }

//! API key
QString apiKey() const { return mApiKey; }

Expand Down Expand Up @@ -282,8 +278,6 @@ class QgsAuthOAuth2Config : public QObject
void setPassword( const QString &value );
//! Set scope to \a value
void setScope( const QString &value );
//! Set state to \a value
void setState( const QString &value );
//! Set api key to \a value
void setApiKey( const QString &value );
// advanced
Expand Down Expand Up @@ -335,8 +329,6 @@ class QgsAuthOAuth2Config : public QObject
void passwordChanged( const QString & );
//! Emitted when configuration scope has changed
void scopeChanged( const QString & );
//! Emitted when configuration state has changed
void stateChanged( const QString & );
//! Emitted when configuration API key has changed
void apiKeyChanged( const QString & );

Expand Down Expand Up @@ -369,7 +361,6 @@ class QgsAuthOAuth2Config : public QObject
QString mUsername;
QString mPassword;
QString mScope;
QString mState;
QString mApiKey;
bool mPersistToken = false;
AccessMethod mAccessMethod = AccessMethod::Header;
Expand Down
2 changes: 0 additions & 2 deletions src/auth/oauth2/qgsauthoauth2edit.cpp
Expand Up @@ -161,7 +161,6 @@ void QgsAuthOAuth2Edit::setupConnections()
connect( leUsername, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setUsername );
connect( lePassword, &QgsPasswordLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setPassword );
connect( leScope, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setScope );
connect( leState, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setState );
connect( leApiKey, &QLineEdit::textChanged, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setApiKey );
connect( chkbxTokenPersist, &QCheckBox::toggled, mOAuthConfigCustom.get(), &QgsAuthOAuth2Config::setPersistToken );
connect( cmbbxAccessMethod, static_cast<void ( QComboBox::* )( int )>( &QComboBox::currentIndexChanged ),
Expand Down Expand Up @@ -380,7 +379,6 @@ void QgsAuthOAuth2Edit::loadFromOAuthConfig( const QgsAuthOAuth2Config *config )
leUsername->setText( config->username() );
lePassword->setText( config->password() );
leScope->setText( config->scope() );
leState->setText( config->state() );
leApiKey->setText( config->apiKey() );

// advanced
Expand Down

0 comments on commit 2e88dd5

Please sign in to comment.