Closed N247S closed 1 year ago
Thanks for the detailed issue - seems like a bug and I can see a reasonable use case to have some endpoints be session/web only (quite a few sites require web/session access to say retrieve access tokens).
Hadn't thought that far into usecases yet, but seems reasonable.
One quickfix I could think of is by checking the fs_authn_via
flag inside the auth_mechanism function for 'session authentication' as I dont think that flag is set when a user is restored from session data. But it feels sketchy at best.
With the growing authentication solutions it might be preferable to fix this with a big rework. But the above could serve as a quick/temp fix.
Thanks for your work - I have taken your PR and am working with it - hopefully get something up in the next few days. Right now I am leaning towards the fs_authn_via solution....
Thank you for picking it up. Just to make sure, PR#794 should be a fix for this. Might save you some time.
Yup - started with that - a big help.
I am messing around a bit with configurations to figure out how things work, and what to be aware of when working with flask-security.
One thing I noticed was when one authenticates using a
token
, they can access endpoints which are protected withauth_required('session')
(i.e. session-authentication only), which might not be a big problem, but goes against specs if I read it correctly.Testcase:
From what I could figure out the
loginManager.request_loader
is called prior to theauth_required
. Upon a request it tries to create a session and populates it during which process thecurrent_user
proxy is called wich calls_get_user()
which in turn callscurrent_app.login_manager._load_user()
to get the user, which in turn calls_load_user_from_request()
which is able to obtain the user from a token. This is pushed to the global-variables (g
) and is used to populate thecurrent_user
.After this chain of events is done, the
auth_required
decorator is called which for session-authentication checkscurrent_user.is_authenticated
, which is true because that user was found using the token already. This means the decorator basically allowstoken
authentication to be used forsession
authentication.Again not sure if this is a big problem, but I think it goes against specs.
The version I tested this on is: Flask 2.2.3 Flask-security-too 5.1.2 (fresh install as of 1 week ago, so I assume latest dependency versions)
If more information is needed, feel free to ask.