Fakultas Ilmu Komputer UI

Commit 3acce5bc authored by Muhammad Rafif Elfazri's avatar Muhammad Rafif Elfazri
Browse files

[GREEN] Fix Security issue on google login and function return value

parent 1a9203e7
import requests import requests
import random import random
from urllib.parse import parse_qs, urlparse
from rest_framework.utils import json from rest_framework.utils import json
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework_simplejwt.tokens import RefreshToken
from rest_framework.permissions import IsAuthenticated
from rest_framework.authtoken.models import Token from rest_framework.authtoken.models import Token
from django.views.decorators.csrf import csrf_exempt from django.views.decorators.csrf import csrf_exempt
from django.http import JsonResponse
from django.http import JsonResponse, HttpResponse
from django.contrib.auth import authenticate from django.contrib.auth import authenticate
from django.contrib.auth.base_user import BaseUserManager from django.contrib.auth.base_user import BaseUserManager
from django.contrib.auth.hashers import make_password from django.contrib.auth.hashers import make_password
...@@ -27,30 +19,32 @@ def request_token(request): ...@@ -27,30 +19,32 @@ def request_token(request):
password = request.POST["password"] password = request.POST["password"]
google = request.POST.get("google", False) google = request.POST.get("google", False)
response = {} response = {}
status = 200
if google: if google:
access_token = request.POST["access_token"] access_token = request.POST["access_token"]
name = request.POST["name"] name = request.POST["name"]
try: try:
user = User.objects.get(email=email) result_code, result_email = validate_google_token(access_token)
if result_code:
user = User.objects.get(email=result_email)
email = result_email
else:
return result_email
except User.DoesNotExist: except User.DoesNotExist:
user, status = _request_token_from_google(email, access_token, name) user = _create_google_user(email, name)
else: else:
try: try:
user = authenticate(request, username=email, password=password) user = authenticate(request, username=email, password=password)
if user is None:
User.objects.get(email=email)
except User.DoesNotExist: except User.DoesNotExist:
response["response"] = "User not exist" response["response"] = "User not exist"
return JsonResponse(response, status=404) return JsonResponse(response, status=404)
if status != 200:
return status
if user is not None: if user is not None:
if user.is_active: if user.is_active:
#print("user active")
token, create = Token.objects.get_or_create(user=user) token, create = Token.objects.get_or_create(user=user)
response = {} response = {'username': user.username, 'token': token.key, 'token_type': "token"}
response['username'] = user.username
response['token'] = token.key
response['token_type'] = "token"
return JsonResponse(response, status=200) return JsonResponse(response, status=200)
else: else:
response["response"] = "Please activate your account" response["response"] = "Please activate your account"
...@@ -58,15 +52,9 @@ def request_token(request): ...@@ -58,15 +52,9 @@ def request_token(request):
else: else:
response["response"] = "Wrong password" response["response"] = "Wrong password"
return JsonResponse(response, status=400) return JsonResponse(response, status=400)
@csrf_exempt
def _request_token_from_google(email, access_token, name): def _create_google_user(email, name):
payload = {'access_token': access_token} # validate the token
req = requests.get('https://www.googleapis.com/oauth2/v2/userinfo', params=payload, proxies=settings.PROXIES)
data = json.loads(req.text)
if 'error' in data:
content = {'message': 'wrong google token / this google token is already expired.'}
return None, JsonResponse(content, status=404)
user = User() user = User()
user.username = email user.username = email
# provider random default password # provider random default password
...@@ -77,18 +65,18 @@ def _request_token_from_google(email, access_token, name): ...@@ -77,18 +65,18 @@ def _request_token_from_google(email, access_token, name):
user.save() user.save()
random_generated_phone_number = 'x'.join([str(random.randint(0, 9)) for i in range(8)]) random_generated_phone_number = 'x'.join([str(random.randint(0, 9)) for i in range(8)])
BisaGoUser.objects.create(user=user, phone_number=random_generated_phone_number) BisaGoUser.objects.create(user=user, phone_number=random_generated_phone_number)
return user, 200 return user
@csrf_exempt @csrf_exempt
def validate_google_token(email, access_token): def validate_google_token(access_token):
payload = {'access_token': access_token} # validate the token payload = {'access_token': access_token} # validate the token
req = requests.get('https://www.googleapis.com/oauth2/v2/userinfo', params=payload, proxies=settings.PROXIES) req = requests.get('https://www.googleapis.com/oauth2/v2/userinfo', params=payload, proxies=settings.PROXIES)
data = json.loads(req.text) data = json.loads(req.text)
if 'error' in data: if 'error' in data or 'email' not in data:
content = {'message': 'wrong google token / this google token is already expired.'} content = {'message': 'wrong google token / this google token is already expired.'}
return None, JsonResponse(content, status=404) return False, JsonResponse(content, status=404)
return User.objects.get(email=email) return True, data.get("email")
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment