search

wagnerdelima / drf-social-oauth2

drf-social-oauth2 makes it easy to integrate Django social authentication with major OAuth2 providers, i.e., Facebook, Twitter, Google, etc.
https://drf-social-oauth2.readthedocs.io/en/latest/
MIT License
271 stars 34 forks source link

convert_token returns html headers with user environment variables #144

Closed snowcrash-arin closed 1 year ago

snowcrash-arin commented 1 year ago

It returns the user environment variables in the headers along with response data. I removed the values due to sensitive data.

http://localhost:8000/auth/convert-token/

The same issue(result) for both DRF and curl.

HTTP/1.1 200 OK Date Server Content-Type PATH NVM_RC_VERSION DB_USER_NAME DB_PORT WORKON_HOME VIRTUALENVWRAPPER_PYTHON GOOGLE_APPLICATION_CREDENTIALS COMMAND_MODE PS1 NICE_KEY_CODE VIRTUALENVWRAPPER_SCRIPT VIRTUALENVWRAPPER_WORKON_CD LOGNAME XPC_SERVICE_NAME DB_DEV_HOST PWD PYCHARM_HOSTED PYCHARM_DISPLAY_PORT __CFBundleIdentifier PYTHONPATH NVM_CD_FLAGS SHELL DATABASE_NAME NVM_DIR PYTHONIOENCODING CA_PATH OLDPWD USER VIRTUALENVWRAPPER_HOOK_DIR DEBUG TMPDIR SSH_AUTH_SOCK DJANGO_SETTINGS_MODULE VIRTUAL_ENV XPC_FLAGS PYTHONUNBUFFERED VIRTUALENVWRAPPER_PROJECT_FILENAME __CF_USER_TEXT_ENCODING DB_USER_PASS PROJECT_HOME USE_CLOUD_SQL_AUTH_PROXY LC_CTYPE NICE_SECRET_CODE HOME DATABASE_URL GS_BUCKET_NAME SECRET_KEY TZ RUN_MAIN SERVER_NAME GATEWAY_INTERFACE SERVER_PORT REMOTE_HOST CONTENT_LENGTH SCRIPT_NAME SERVER_PROTOCOL SERVER_SOFTWARE REQUEST_METHOD PATH_INFO QUERY_STRING REMOTE_ADDR CONTENT_TYPE HTTP_HOST HTTP_USER_AGENT HTTP_ACCEPT wsgi.version wsgi.run_once wsgi.url_scheme wsgi.multithread wsgi.multiprocess wsgi.file_wrapper Vary Allow X-Frame-Options Content-Length X-Content-Type-Options Referrer-Policy Cross-Origin-Opener-Policy

{ "access_token": "RlMWGzkVwkSkFn0y68PzSnsDZuQrk8", "expires_in": 31395.259142, "scope": "read write", "refresh_token": "7G6puqPRjQEJ5IMyx7BMq4ZvT1ONQg", "token_type": "Bearer" }

snowcrash-arin commented 1 year ago

I just noticed this only happens if a user already exists(or POSTing for the second time), the first time(new user) only shows the response data as shown below.

HTTP 200 OK Allow: POST, OPTIONS Cache-Control: no-store Content-Type: application/json Pragma: no-cache Vary: Accept

{ "access_token": "qqlGnFjpex4SCA4dCQDnTA7tFJhIGf", "expires_in": 36000, "token_type": "Bearer", "scope": "read write", "refresh_token": "iIYBU49CpBf5RmmQZ9UlaHt2WlkyuO" }

wagnerdelima commented 1 year ago

Hi @snowcrash-arin,

I never saw this issue before. I tried it locally and nothing described by your issue shows up.

I have tested it with and without a user and the response was absolutely the same: { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbiI6IjkxZHVidzdQYUxQdEZLZXNzSWhuMWZRZG9OYjBWYyJ9.zyQsbrOGUqvNdDLFcONrgnGCNEDCh05n4tJieHcSi1E", "expires_in": 36000, "token_type": "Bearer", "scope": "read write", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbiI6Im5QcUplMDhiM0hqNW83Tmx5NWFyNDNpMEhBNDM3UyJ9.zwEc38-fNGwUAc4KQuhjhTH172FfgeAOq9g85UBKyW4" }

wagnerdelima commented 1 year ago

I am closing this issue for now. Can you please elaborate on your problem more? Please include screenshots etc, whatever makes it easier for me to debug.

snowcrash-arin commented 1 year ago

Hi @wagnerdelima

If you are using curl, you have to pass -i to see the header contents.

curl -X POST -d "grant_type=convert_token&client_id=z3AO2eQPapXfuBcg9d4a8mVfcdYlCEtRvS8wDE3Q&client_secret=client_secrent&backend=google-oauth2&token=google_token" -i http://localhost:8000/auth/convert-token

Let me know if you don't see what I see even with -i, I'll open a new case with screenshots and more details.

Thanks!