search

acteng / update-your-capital-schemes

Update your capital schemes service.
https://update-your-capital-schemes.activetravelengland.gov.uk/
MIT License
4 stars 0 forks source link

Redirect to Forbidden page on 403 errors #122

Closed Sparrow0hawk closed 4 months ago

Sparrow0hawk commented 4 months ago

Summary

If a user attempts to log in but is not authorized they see a Forbidden page but at the /auth endpoint.

This can lead to the app raising 500 errors if the user refreshes the page because of a mismatching CSRF token.

Example traceback

[2024-07-03 07:33:16,150] ERROR in app: Exception on /auth [GET]
Traceback (most recent call last):   File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1473, in wsgi_app     response = self.full_dispatch_request()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 882, in full_dispatch_request
    rv = self.handle_user_exception(e)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 880, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 865, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/inject/__init__.py", line 405, in injection_wrapper
    return sync_func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/app/schemes/views/auth/bearer.py", line 21, in callback
    token = oauth.govuk.authorize_access_token(
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/authlib/integrations/flask_client/apps.py", line 100, in authorize_access_token
    params = self._format_state_params(state_data, params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params
    raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

Suggested fix

This could be resolved by redirecting to a Forbidden page rather than returning a reponse when a 403 error is encountered.

markhobson commented 4 months ago

Redirect to forbidden when unauthorized.