search

snok / django-auth-adfs

A Django authentication backend for Microsoft ADFS and AzureAD
http://django-auth-adfs.readthedocs.io/
BSD 2-Clause "Simplified" License
270 stars 97 forks source link

Implementing POST in login, redirecting to previous page with NEXT parameter #308

Open simon-spier0 opened 8 months ago

simon-spier0 commented 8 months ago

To allow user to be redirected to previous or specific page after login, django has default native parameter NEXT for that. When I want to implement it, this is the way:

login.html template:

<form method="get" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
  <input type="hidden" name="next" value="{{ next }}">
  <button type="submit" class="btn btn-info"><i class="fa-brands fa-windows"></i> Log in with ADFS</button>
</form>

It works fine but OWASP scanner flags it as XSLT injection medium priority warning.

What I did then:

  1. Changed form method GET to POST: 
    <form method="post" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
<input type="hidden" name="next" value="{{ next }}">
<button type="submit" class="btn btn-info"><i class="fa-brands fa-windows"></i> Log in with ADFS</button>
</form>

  2. Added post view:

    class OAuth2LoginView(View):
def get(self, request):
    return redirect(provider_config.build_authorization_endpoint(request))

def post(self, request):
    return redirect(provider_config.build_authorization_endpoint(request))
  3. Added the NEXT url from POST in config: 
    def build_authorization_endpoint(self, request, disable_sso=None, force_mfa=False):
    self.load_config()
    redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
    if not redirect_to:
        redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
    if not redirect_to:
        redirect_to = django_settings.LOGIN_REDIRECT_URL
...

    Now, POST support is added but OWASP still detects it as XSLT injection. When I removed/disallowed the method get() in OAuth2LoginView, OWASP doesn't detect it anymore.

My question is if you can add even the POST support in login to this library. 🙂

Thanks.

Upvote & Fund

Fund with Polar