Little improve to state parameter checking. Disable state in Odnoklassniki backend...

diff --git a/social_auth/backends/__init__.py b/social_auth/backends/__init__.py
index c518288b936d98d2fef1d6ca08cf49b56240caa8..93117c27fb55ca550b796c20cd62101b59265027 100644 (file)
--- a/social_auth/backends/__init__.py
+++ b/social_auth/backends/__init__.py
@@ -34,7 +34,8 @@ from social_auth.backends.exceptions import StopPipeline, AuthException, \
                                             AuthFailed, AuthCanceled, \
                                             AuthUnknownError, AuthTokenError, \
                                             AuthMissingParameter, \
-                                            AuthForbidden
+                                            AuthStateMissing, \
+                                            AuthStateForbidden
 from social_auth.backends.utils import build_consumer_oauth_request
 
 
@@ -699,11 +700,14 @@ class BaseOAuth2(BaseOAuth):
             raise AuthFailed(self, error)
 
         if self.FORCE_STATE_CHECK:
-            if 'state' not in self.data:
+            request_state = self.data.get('state')
+            state = self.request.session.get(self.AUTH_BACKEND.name + '_state')
+            if not request_state:
                 raise AuthMissingParameter(self, 'state')
-            state = self.request.session[self.AUTH_BACKEND.name + '_state']
-            if not constant_time_compare(self.data['state'], state):
-                raise AuthForbidden(self)
+            elif not state:
+                raise AuthStateMissing(self, 'state')
+            elif not constant_time_compare(request_state, state):
+                raise AuthStateForbidden(self)
 
         client_id, client_secret = self.get_key_and_secret()
         params = {'grant_type': 'authorization_code',  # request auth code

diff --git a/social_auth/backends/contrib/odnoklassniki.py b/social_auth/backends/contrib/odnoklassniki.py
index b88c2ec32a2478a83b6ffe4a3d4e5c2084154179..87923df634fb88654de206c2d5ecf4e7d6cc92b7 100644 (file)
--- a/social_auth/backends/contrib/odnoklassniki.py
+++ b/social_auth/backends/contrib/odnoklassniki.py
@@ -54,6 +54,7 @@ class OdnoklassnikiOAuth2(BaseOAuth2):
     ACCESS_TOKEN_URL = 'http://api.odnoklassniki.ru/oauth/token.do'
     SETTINGS_KEY_NAME = 'ODNOKLASSNIKI_OAUTH2_CLIENT_KEY'
     SETTINGS_SECRET_NAME = 'ODNOKLASSNIKI_OAUTH2_CLIENT_SECRET'
+    FORCE_STATE_CHECK = False
 
     def get_scope(self):
         return setting('ODNOKLASSNIKI_OAUTH2_EXTRA_SCOPE', [])

diff --git a/social_auth/backends/exceptions.py b/social_auth/backends/exceptions.py
index 35f76e09f7d429e9f06841aaabeddb414bc950db..491c37ad2657577ad7777c9281da46373dc86bc6 100644 (file)
--- a/social_auth/backends/exceptions.py
+++ b/social_auth/backends/exceptions.py
@@ -61,7 +61,13 @@ class AuthMissingParameter(AuthException):
         return u'Missing needed parameter %s' % self.parameter
 
 
-class AuthForbidden(AuthException):
+class AuthStateMissing(AuthException):
+    """State parameter is incorrect."""
+    def __unicode__(self):
+        return u'Session value state missing.'
+
+
+class AuthStateForbidden(AuthException):
     """State parameter is incorrect."""
     def __unicode__(self):
         return u'Wrong state parameter given.'