Closed mrharpo closed 2 months ago
@mrharpo, thanks for reporting the issue. I have tested with different OAuth clients but never tested with different accounts of the same OAuth client. I was able to reproduce the issue on the playground application and reviewed your pull request (#48). The thing is that self._oauth_client.access_token
is accessible only once, which is why I implemented caching on it. I suggest just setting the self._access_token
to None
on logout or making it an instance variable.
Bug description
First off, thanks for the great project! We are trying to see if we can use this as part of our FastAPI application, but found a major bug in the implementation:
TLDR
Storing the
OAuth2Core._access_token
means the 2nd person to login to the server (and each subsequent user) gets the 1st person'suser_data
in their token.core.py
https://github.com/pysnippet/fastapi-oauth2/blob/53973d67472f43b0f3a5ad157465970071ff4206/src/fastapi_oauth2/core.py#L72-L76
Solution
Returning the
access_token
directly from the_oauth_client
works correctly, as far as I can tell.Reproduction URL
https://github.com/WGBH-MLA/organ/pull/3
Reproduction steps
Server
Env
Steps
Homepage URL
: http://localhost:8000/Authorization callback URL
: http://localhost:8000/oauth2/github/tokenuvicorn server:app
Authorization
cookieAuthorization
cookie with Browser 1'suser_data
Screenshots
Logs
No response
Browsers
No response
OS
No response