From: Matías Aguirre <matiasaguirre@gmail.com>
Date: Wed, 4 Jul 2012 18:03:23 +0000 (-0300)
Subject: Little improve to state parameter checking. Disable state in Odnoklassniki backend... 
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=ec829f7f685fce6c593e407d70906fb4ef65b75f;p=django-social-auth.git

Little improve to state parameter checking. Disable state in Odnoklassniki backend. Refs #386
---

diff --git a/social_auth/backends/__init__.py b/social_auth/backends/__init__.py
index c518288..93117c2 100644
--- a/social_auth/backends/__init__.py
+++ b/social_auth/backends/__init__.py
@@ -34,7 +34,8 @@ from social_auth.backends.exceptions import StopPipeline, AuthException, \
                                             AuthFailed, AuthCanceled, \
                                             AuthUnknownError, AuthTokenError, \
                                             AuthMissingParameter, \
-                                            AuthForbidden
+                                            AuthStateMissing, \
+                                            AuthStateForbidden
 from social_auth.backends.utils import build_consumer_oauth_request
 
 
@@ -699,11 +700,14 @@ class BaseOAuth2(BaseOAuth):
             raise AuthFailed(self, error)
 
         if self.FORCE_STATE_CHECK:
-            if 'state' not in self.data:
+            request_state = self.data.get('state')
+            state = self.request.session.get(self.AUTH_BACKEND.name + '_state')
+            if not request_state:
                 raise AuthMissingParameter(self, 'state')
-            state = self.request.session[self.AUTH_BACKEND.name + '_state']
-            if not constant_time_compare(self.data['state'], state):
-                raise AuthForbidden(self)
+            elif not state:
+                raise AuthStateMissing(self, 'state')
+            elif not constant_time_compare(request_state, state):
+                raise AuthStateForbidden(self)
 
         client_id, client_secret = self.get_key_and_secret()
         params = {'grant_type': 'authorization_code',  # request auth code
diff --git a/social_auth/backends/contrib/odnoklassniki.py b/social_auth/backends/contrib/odnoklassniki.py
index b88c2ec..87923df 100644
--- a/social_auth/backends/contrib/odnoklassniki.py
+++ b/social_auth/backends/contrib/odnoklassniki.py
@@ -54,6 +54,7 @@ class OdnoklassnikiOAuth2(BaseOAuth2):
     ACCESS_TOKEN_URL = 'http://api.odnoklassniki.ru/oauth/token.do'
     SETTINGS_KEY_NAME = 'ODNOKLASSNIKI_OAUTH2_CLIENT_KEY'
     SETTINGS_SECRET_NAME = 'ODNOKLASSNIKI_OAUTH2_CLIENT_SECRET'
+    FORCE_STATE_CHECK = False
 
     def get_scope(self):
         return setting('ODNOKLASSNIKI_OAUTH2_EXTRA_SCOPE', [])
diff --git a/social_auth/backends/exceptions.py b/social_auth/backends/exceptions.py
index 35f76e0..491c37a 100644
--- a/social_auth/backends/exceptions.py
+++ b/social_auth/backends/exceptions.py
@@ -61,7 +61,13 @@ class AuthMissingParameter(AuthException):
         return u'Missing needed parameter %s' % self.parameter
 
 
-class AuthForbidden(AuthException):
+class AuthStateMissing(AuthException):
+    """State parameter is incorrect."""
+    def __unicode__(self):
+        return u'Session value state missing.'
+
+
+class AuthStateForbidden(AuthException):
     """State parameter is incorrect."""
     def __unicode__(self):
         return u'Wrong state parameter given.'