Issue 6473053: Add XSRF projection to oauth2decorator callback.

Issue 6473053: Add XSRF projection to oauth2decorator callback. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
12 years, 10 months ago by jcgregorio_google

Modified:
12 years, 10 months ago

Reviewers:
jcgregorio_google, Ali Afshar

CC:
google-api-python-client_googlegroups.com

Visibility:
Public.

Description

XSRF per the spec http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-10.12

Patch Set 3 : also fix up django sample. #

Patch Set 4 : Added more tests. Also xsrf is now used to protect the redirect_uri. #

Patch Set 6 : clarified singleton name #

Created: 12 years, 10 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+470 lines, -214 lines)			Patch
M	oauth2client/appengine.py	View	1 2 3 4 5	7 chunks	+112 lines, -27 lines	0 comments	Download
M	oauth2client/client.py	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
A	oauth2client/xsrfutil.py	View	1 2	1 chunk	+106 lines, -0 lines	0 comments	Download
M	runtests.sh	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	samples/appengine/grant.html	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
R	samples/dailymotion/README	View	1 2	1 chunk	+0 lines, -3 lines	0 comments	Download
R	samples/dailymotion/app.yaml	View	1 2	1 chunk	+0 lines, -9 lines	0 comments	Download
R	samples/dailymotion/index.yaml	View	1 2	1 chunk	+0 lines, -11 lines	0 comments	Download
R	samples/dailymotion/main.py	View	1 2	1 chunk	+0 lines, -100 lines	0 comments	Download
R	samples/dailymotion/welcome.html	View	1 2	1 chunk	+0 lines, -14 lines	0 comments	Download
A	samples/django_sample/client_secrets.json	View	1 2	1 chunk	+9 lines, -0 lines	0 comments	Download
M	samples/django_sample/plus/models.py	View	1 2	1 chunk	+0 lines, -4 lines	0 comments	Download
M	samples/django_sample/plus/views.py	View	1 2 3 4	3 chunks	+22 lines, -15 lines	0 comments	Download
M	tests/test_oauth2client_appengine.py	View	1 2 3 4 5	9 chunks	+107 lines, -29 lines	0 comments	Download
A	tests/test_oauth2client_xsrfutil.py	View	1	1 chunk	+111 lines, -0 lines	0 comments	Download

Messages

Total messages: 8

Expand All Messages | Collapse All Messages

Ali Afshar

LGTM http://codereview.appspot.com/6473053/diff/2001/oauth2client/xsrfutil.py File oauth2client/xsrfutil.py (right): http://codereview.appspot.com/6473053/diff/2001/oauth2client/xsrfutil.py#newcode79 oauth2client/xsrfutil.py:79: user_id: the user ID of the authenticated user ...

12 years, 10 months ago (2012-08-23 17:31:43 UTC) #2

jcgregorio_google

PTAL, dropped the DailyMotion sample and added XSRF protection into the Django sample. The DailyMotion ...

12 years, 10 months ago (2012-08-23 18:05:20 UTC) #3

jcgregorio_google

Added unit tests for appengine.xsrf_secret_key() and appengine._build_state_value and _parse_state_value.

12 years, 10 months ago (2012-08-24 14:11:04 UTC) #4

Ali Afshar

https://codereview.appspot.com/6473053/diff/11001/oauth2client/appengine.py File oauth2client/appengine.py (right): https://codereview.appspot.com/6473053/diff/11001/oauth2client/appengine.py#newcode87 oauth2client/appengine.py:87: model = SiteXsrfSecretKey.get_or_insert('there_is_only_one') Not obvious what this string is.

12 years, 10 months ago (2012-08-24 15:30:39 UTC) #5

jcgregorio_google

12 years, 10 months ago (2012-08-24 15:46:41 UTC) #6

jcgregorio_google

12 years, 10 months ago (2012-08-24 15:58:47 UTC) #8

On 2012/08/24 15:54:34, Ali Afshar wrote:
> LGTM

Committed in
http://code.google.com/p/google-api-python-client/source/detail?r=d931e04f8bb...

Expand All Messages | Collapse All Messages