GoogleMixin
70 views
Skip to first unread message
Carl S. Yestrau Jr.
Feb 25, 2012, 1:35:53 PM2/25/12
to Tornado Web Server
So I finally traced my xsrf problem with the google mixin... This is
due to the OpenID endpoint changing methods based on the length of the
response:
http://code.google.com/googleapps/marketplace/testing.html#openid_post
due to the OpenID endpoint changing methods based on the length of the
response:
http://code.google.com/googleapps/marketplace/testing.html#openid_post
What is a safe approach disabling xsrf only for google auth and should
we consider adding this to the default auth.GoogleMixin module?
Hopefully this saves all of you several hours in the future, long live
basic auth!
Ben Darnell
Feb 27, 2012, 2:53:26 AM2/27/12
to python-...@googlegroups.com
Wow, that's a surprising wrinkle. It's difficult to solve cleanly in
tornado because the auth mixins really serve two disjoint roles. In
general, it should be safe to stub out check_xsrf_cookie in your login
handler (but not in other handlers that inherit from GoogleMixin to
make authenticated requests). It's definitely safe for openid. For
oauth it's less clear since the oauth login flow does use cookies, but
if there's a hole here it would be present in the GET version as well.
tornado because the auth mixins really serve two disjoint roles. In
general, it should be safe to stub out check_xsrf_cookie in your login
handler (but not in other handlers that inherit from GoogleMixin to
make authenticated requests). It's definitely safe for openid. For
oauth it's less clear since the oauth login flow does use cookies, but
if there's a hole here it would be present in the GET version as well.
Once you get past the xsrf issue, you run into the fact that all the
docs and examples for writing a login handler only override get(), not
post(). This looks like a good reason to go ahead with the
oft-discussed refactoring of the auth module.
-Ben
Reply all
Reply to author
Forward
0 new messages