Cross Browser Email Verification Error, Exception Type: AuthMissingParameter

34 views

Skip to first unread message

Ashish Gupta

unread,

Nov 1, 2015, 9:03:59 PM11/1/15

to python-social-auth

I am using python-social-auth for authentication in my django project . I am using facebook, google-oauth2, email and twitter backends. In refrence to Github Issue #577, https://github.com/omab/python-social-auth/issues/577, i.e. partial pipelines are based on session data, I am facing following problems -

1. No Cross browser email verification

I found a blog article to fix this using monkey patch. It used Session table to fetch session data and then set the session details for
resuming pipeline during email verification.

Reference-

http://artandlogic.com/2015/07/email-validation-with-django-and-python-social-auth/

https://gist.github.com/SaneMethod/b30156a3705ce9e944cd#file-django-python-social-auth-monkey-py

2. But after sending email confirmation link, if any other user logs in the same browser, session data changes leading to deletion of session key. Then email confirmation link becomes invalid. Even this monkey patch won't work.

3. If a user is logged in a browser, and other user clicks on his confirmation email link (assuming session_key exists and I am using monkey patch discussed in 1,) , either both accounts gets connected if backends are different or backend already in use error will occur. It should be something like, logout the existing user and then proceed with confirmation of email. This is very critical bug in production, as two user's account will get connected.

4. If I signup using email from a browser , then partial_pipeline data is stored in session. If I again try to signup using different details, instead of using different details its using the details stored in the session. (I am not sure why its happening).

I have read omab's response regarding the issue #577,

@maxsocl, @craig-hacklaunch, I see the problem now, and even if I think that this could be solved with a re-write of the email validation pipeline, this affects all the pipeline functions that use the partial mechanism, so, I'm already working on a restructure of the pipeline serialization functionality that will improve this behavior. Basically the pipeline data will be dumped to a DB table and a hash code will be used to identify the processes which can be stopped and continue later, removing the dependency of the session.