[bug] /oauth/authorize with non-truthy force_login returns wrong code #529

New issue

Open

opened 2023-04-25 21:58:12 +00:00 by Michcio · 0 comments

Michcio commented

2023-04-25 21:58:12 +00:00

Your setup

From source

Extra details

No response

Version

08d49fb

PostgreSQL version

No response

What were you trying to do?

I created an oauth app on kwsp using mastodon-py for use with the oob redirect uri
I generated the /oauth/authorize URL with mastodon-py and it came out as something with &force_login=False&state=None&lang=None which is eh but okay
I tried to use the URL to log in with my main account in browser, which was already logged into FE

What did you expect to happen?

An approve/deny form, followed by a token to copy into my code to finish auth flow

What actually happened?

After approving, it showed me a token, I pasted it into my code, it didn't work. After some digging I noticed that the same token was in FE's vuex storage, under oauth.userToken, which suggests it was giving me the auth code for my logged in FE instead of the app I actually wanted to log in to.

I'm observing the same behaviour if I set force_login to empty string but keep it. If I remove force_login it gives me a different code, one that works for completing the oauth flow. If I set it to "hehe" or whatever it forces reapproval and it's fine.

I tried reading lib/pleroma/web/o_auth/o_auth_controller.ex but I don't really understand plugs

Logs

No response

Severity

I can manage

Have you searched for this issue?

I have double-checked and have not found this issue mentioned anywhere.

### Your setup From source ### Extra details _No response_ ### Version 08d49fb ### PostgreSQL version _No response_ ### What were you trying to do? - I created an oauth app on kwsp using mastodon-py for use with the oob redirect uri - I generated the /oauth/authorize URL with mastodon-py and it came out as something with `&force_login=False&state=None&lang=None` which is eh but okay - I tried to use the URL to log in with my main account in browser, which was already logged into FE ### What did you expect to happen? An approve/deny form, followed by a token to copy into my code to finish auth flow ### What actually happened? After approving, it showed me *a* token, I pasted it into my code, it didn't work. After some digging I noticed that the same token was in FE's vuex storage, under `oauth.userToken`, which suggests it was giving me the auth code for my logged in FE instead of the app I actually wanted to log in to. I'm observing the same behaviour if I set force_login to empty string but keep it. If I remove force_login it gives me a different code, one that works for completing the oauth flow. If I set it to "hehe" or whatever it forces reapproval and it's fine. I tried reading `lib/pleroma/web/o_auth/o_auth_controller.ex` but I don't really understand plugs ### Logs _No response_ ### Severity I can manage ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

Michcio added the

bug

label 2023-04-25 21:58:12 +00:00

Michcio changed title from ~~[bug] /oauth/authorize with non-truthy non-empty force_login returns wrong code~~ to [bug] /oauth/authorize with non-truthy force_login returns wrong code

2023-04-25 23:05:34 +00:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#529

No description provided.