search

puiterwijk / flask-oidc

OpenID Connect support for Flask
BSD 2-Clause "Simplified" License
154 stars 217 forks source link

Bypass of "require_login()" leads to application crash(obviously) #158

Open Panagiss opened 1 year ago

Panagiss commented 1 year ago

I was able to bypass the decorated @oidc.require_login on a function, leading to app crash of course as the function was trying to access grants from the id token. Here is the stack trace:

[2022-12-20 14:38:59 +0000] [12] [ERROR] Error handling request /route
app   | Traceback (most recent call last):
app   |   File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 136, in handle
app   |     self.handle_request(listener, req, client, addr)
app   |   File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 179, in handle_request
app   |     respiter = self.wsgi(environ, resp.start_response)
app   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2548, in __call__
app   |     return self.wsgi_app(environ, start_response)
app   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2528, in wsgi_app
app   |     response = self.handle_exception(e)
app   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2525, in wsgi_app
app   |     response = self.full_dispatch_request()
app   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1822, in full_dispatch_request
app   |     rv = self.handle_user_exception(e)
app   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request
app   |     rv = self.dispatch_request()
app   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request
app   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
app   |   File "/home/app/routes.py", line 252, in my_func
app   |     a_grant= oidc.user_getfield("a_grant")
app   |   File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 220, in user_getfield
app   |     info = self.user_getinfo([field], access_token)
app   |   File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 240, in user_getinfo
app   |     raise Exception('User was not authenticated')
app   | Exception: User was not authenticated

Here is also the code:

@oidc.require_login
@app.route("/route", methods=["GET"])
def my_func():
    a_grant= oidc.user_getfield("a_grant")

To reproduce it just authenticate once and go on that route. It will display everything well. Then leave it open for a while. Not sure how much. I think just needs the id token to expire or something. Then refresh the page and you will see the exception