Have Quay always use an OAuth-specific CSRF token
This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token. Fixes https://www.pivotaltracker.com/story/show/135803615
This commit is contained in:
Joseph Schorr
parent
34f2ddce87
commit
ff52fde8a5
8 changed files with 72 additions and 48 deletions
|
|
@ -494,7 +494,7 @@ def oauth_local_handler():
|
|||
|
||||
|
||||
@web.route('/oauth/denyapp', methods=['POST'])
|
||||
@csrf_protect
|
||||
@csrf_protect()
|
||||
def deny_application():
|
||||
if not current_user.is_authenticated:
|
||||
abort(401)
|
||||
|
|
|
|||
Reference in a new issue