Innova-AI/dictia-public
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix(auth): B-2.4 security review fixes — OAuth linking + magic link replay

Browse Source 
Follow-up to commit 0513e67 addressing 2 critical OAuth account-takeover
vulnerabilities and 5 important issues found in the security review.

Critical fixes:
- C1: gate OAuth email-link on ``email_verified is True`` (strict bool)
  in find_user_by_oauth + callback. Hostile Microsoft personal account
  or Workspace tenant returning email_verified=False (or omitting the
  claim) can no longer auto-link to an existing account. Callback shows
  a friendly French flash + redirect to /login when the email exists
  but the IdP didn't verify it.
- C2: refuse to overwrite an existing sso_subject in find_user_by_oauth.
  A second IdP claiming the victim's email (Google after Microsoft, or
  a hostile second Microsoft tenant) now raises PermissionError instead
  of silently re-binding the User row, which would lock the legitimate
  user out. Callback catches and flashes the error message in French.

Important fixes:
- I1: replace ``except Exception: pass`` in init_oauth_providers with an
  idempotency pre-check on _oauth._clients. Real registration errors
  (bad metadata URL, network failure) now surface as exceptions instead
  of being silently swallowed at app boot.
- I2: single-use enforcement for magic-link tokens via in-process JTI
  cache (_consumed_jtis dict). Replay within the 15-min validity window
  now returns None. SECRET_KEY is now strictly required (no
  default-dev-key fallback). Operator-facing comment documents that
  /auth/magic-link/* should also be scrubbed from Cloudflare/Flask
  access logs as defence in depth.
- I3: pre-check email collision in create_oauth_user_with_consent and
  raise dedicated EmailAlreadyExistsError. Race against parallel /signup
  in another tab between OAuth callback and finish-signup POST now
  redirects to /login with a helpful French flash instead of burning 5
  retry attempts and surfacing a 500.
- I4: oauth_signup_pending session blob now carries a created_at
  timestamp; finish-signup rejects sessions older than 15 min with a
  graceful expiry flash + redirect to /login.
- I5: init_oauth_providers logs an INFO when no providers are enabled
  so operators can spot misconfigured deployments.

Tests: 16 → 21 (5 new):
- test_oauth_callback_refuses_link_when_email_not_verified (C1)
- test_oauth_callback_refuses_to_overwrite_existing_sso_subject (C2)
- test_finish_signup_handles_concurrent_account_creation (I3)
- test_finish_signup_expires_stale_oauth_session (I4)
- test_magic_link_token_is_single_use (I2)

Existing tests updated for new contract:
- test_oauth_callback_links_existing_user_by_email now sets
  email_verified=True in the mock token (required by C1 gate).
- test_finish_signup_requires_cgu_and_confidentialite and
  test_finish_signup_creates_user_and_4_consent_logs now seed
  created_at in the session blob (required by I4 expiry check).
- test_magic_link_consume_logs_in_user_with_valid_token now also
  asserts a second consume of the same token returns None and
  redirects to /auth/magic-link with an invalid/expired flash.

Verified: 21/21 OAuth+magic-link tests pass; 16/16 email service tests
still pass (no regression in adjacent surface).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Allison
2026-04-27 23:50:55 -04:00
parent 0513e67838
commit 3a41bb482d
4 changed files with 548 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

309
tests/test_oauth_magic_link.py
View File

@@ -202,7 +202,12 @@ def test_oauth_callback_logs_in_existing_user_by_subject():
# ----------------------------------------------------------------------
def test_oauth_callback_links_existing_user_by_email():
"""User with matching email but no sso_subject gets linked + logged in."""
"""User with matching email but no sso_subject gets linked + logged in.
Requires email_verified=True from the IdP — see test
test_oauth_callback_refuses_link_when_email_not_verified for the
negative case.
"""
with app.app_context():
_disable_csrf()
_set_oauth_env()
@@ -222,6 +227,7 @@ def test_oauth_callback_links_existing_user_by_email():
'userinfo': {
'sub': 'google-new-sub-789',
'email': 'emaillink@example.qc.ca',
'email_verified': True, # required for auto-link
'name': 'Email Link User',
}
}
@@ -249,6 +255,7 @@ def test_oauth_callback_links_existing_user_by_email():
def test_finish_signup_requires_cgu_and_confidentialite():
"""POST without CGU+confidentialite returns 400; no User created; session preserved."""
import time as _time
with app.app_context():
_disable_csrf()
db.create_all()
@@ -264,6 +271,7 @@ def test_finish_signup_requires_cgu_and_confidentialite():
'given_name': 'Pending',
'family_name': 'User',
},
'created_at': _time.time(),
}
resp = client.post('/auth/oauth/finish-signup', data={
# No consents
@@ -287,6 +295,7 @@ def test_finish_signup_requires_cgu_and_confidentialite():
def test_finish_signup_creates_user_and_4_consent_logs():
"""POST with all consents → User created with 4 ConsentLog rows + login."""
import time as _time
with app.app_context():
_disable_csrf()
db.create_all()
@@ -302,6 +311,7 @@ def test_finish_signup_creates_user_and_4_consent_logs():
'given_name': 'Success',
'family_name': 'User',
},
'created_at': _time.time(),
}
resp = client.post('/auth/oauth/finish-signup', data={
'consent_cgu': 'y',
@@ -446,7 +456,18 @@ def test_magic_link_request_skips_unverified_user_silently():
# ----------------------------------------------------------------------
def test_magic_link_consume_logs_in_user_with_valid_token():
"""Valid token → user logged in + redirect to recordings.index."""
"""Valid token → user logged in + redirect to recordings.index. Second
consume of the same token is refused (single-use enforcement).
Note on the g.pop('_login_user') below: when test_client requests run
inside an outer ``with app.app_context()`` block, Flask-Login caches
the user on ``g._login_user`` and that cache persists to the next
request because ``g`` is bound to the app context, not the request
context. Production (no outer app_context) gets a fresh g per request
and is unaffected. We pop the cache between requests to simulate the
fresh-request behavior.
"""
from flask import g
with app.app_context():
_disable_csrf()
db.create_all()
@@ -468,6 +489,27 @@ def test_magic_link_consume_logs_in_user_with_valid_token():
assert '/auth/magic-link' not in resp.headers['Location']
with client.session_transaction() as sess:
assert sess.get('_user_id') == str(user.id)
# Clear Flask-Login's cached current_user so the next test_client
# request doesn't see the previous user as still-authenticated
# (artifact of running multiple test_clients inside a shared
# app_context — see docstring).
g.pop('_login_user', None)
# Single-use: replay the same token in a fresh client; must be
# refused.
with app.test_client() as client2:
resp2 = client2.get(f'/auth/magic-link/{token}', follow_redirects=False)
assert resp2.status_code == 302
# Refused → redirected back to /auth/magic-link (the request page)
assert '/auth/magic-link' in resp2.headers['Location']
with client2.session_transaction() as sess:
assert sess.get('_user_id') is None
flashes = sess.get('_flashes', [])
assert any(
'invalide' in msg.lower() or 'expir' in msg.lower()
for _cat, msg in flashes
), f'expected invalid/expired flash on replay, got {flashes}'
finally:
db.session.rollback()
db.drop_all()
@@ -612,3 +654,266 @@ def test_send_magic_link_email_french_branded():
finally:
db.session.rollback()
db.drop_all()
# ----------------------------------------------------------------------
# 16. C1 — refuse to auto-link when IdP did not verify the email
# ----------------------------------------------------------------------
def test_oauth_callback_refuses_link_when_email_not_verified():
"""Hostile IdP returns email_verified=False — must NOT auto-link to existing user.
Account-takeover protection: a Microsoft personal account or hostile
Workspace tenant could issue a token claiming
``email='alice@dictia.ca'`` without ever proving Alice controls that
mailbox. Falling through and auto-linking would let the attacker log
in as Alice. The fix gates email-link on ``email_verified is True``.
"""
with app.app_context():
_disable_csrf()
_set_oauth_env()
db.create_all()
try:
existing = User(
username='alicedict',
email='alice@dictia.ca',
password='$2b$12$abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMN',
email_verified=True,
)
db.session.add(existing)
db.session.commit()
existing_id = existing.id
# Hostile token: same email, different sub, NOT verified.
mock_token = {
'userinfo': {
'sub': 'hostile-sub-999',
'email': 'alice@dictia.ca',
'email_verified': False,
'name': 'Not Alice',
}
}
with patch('src.api.auth.get_oauth_client') as mock_get_client:
client_mock = MagicMock()
client_mock.authorize_access_token.return_value = mock_token
mock_get_client.return_value = client_mock
with app.test_client() as test_client:
resp = test_client.get('/auth/oauth/microsoft/callback')
# Refused → redirect to /login (not /auth/oauth/finish-signup
# and not into recordings.index).
assert resp.status_code == 302
assert '/login' in resp.headers['Location']
assert '/auth/oauth/finish-signup' not in resp.headers['Location']
with test_client.session_transaction() as sess:
# NOT logged in
assert sess.get('_user_id') is None
# NOT pending finish-signup either
assert 'oauth_signup_pending' not in sess
flashes = sess.get('_flashes', [])
# French flash about account already existing
assert any(
'compte dictia existe' in msg.lower()
or 'connectez-vous' in msg.lower()
for _cat, msg in flashes
), f'expected manual-link flash, got {flashes}'
# sso_subject untouched on Alice's row
refreshed = db.session.get(User, existing_id)
assert refreshed.sso_subject is None
assert refreshed.sso_provider is None
finally:
db.session.rollback()
db.drop_all()
# ----------------------------------------------------------------------
# 17. C2 — refuse to overwrite an existing sso_subject (second-IdP hijack)
# ----------------------------------------------------------------------
def test_oauth_callback_refuses_to_overwrite_existing_sso_subject():
"""Hostile second IdP claims existing user's email — must refuse to overwrite sso_subject.
Account-hijack protection: Bob is legitimately linked to
``ms-sub-A`` via Microsoft. An attacker on Google (or even a different
Microsoft tenant) authenticates with ``email='bob@dictia.ca'`` and
``email_verified=True`` (Google verifies Gmail addresses). Without
this guard, the email-link branch would silently overwrite Bob's
``sso_subject`` to ``google-sub-X`` and lock Bob out forever.
"""
with app.app_context():
_disable_csrf()
_set_oauth_env()
db.create_all()
try:
bob = User(
username='bobdict',
email='bob@dictia.ca',
password=None,
sso_provider='microsoft',
sso_subject='ms-sub-A',
email_verified=True,
)
db.session.add(bob)
db.session.commit()
bob_id = bob.id
mock_token = {
'userinfo': {
'sub': 'google-sub-X',
'email': 'bob@dictia.ca',
'email_verified': True,
'name': 'Bob (Google)',
}
}
with patch('src.api.auth.get_oauth_client') as mock_get_client:
client_mock = MagicMock()
client_mock.authorize_access_token.return_value = mock_token
mock_get_client.return_value = client_mock
with app.test_client() as test_client:
resp = test_client.get('/auth/oauth/google/callback')
assert resp.status_code == 302
assert '/login' in resp.headers['Location']
with test_client.session_transaction() as sess:
assert sess.get('_user_id') is None
assert 'oauth_signup_pending' not in sess
flashes = sess.get('_flashes', [])
assert any(
'déjà liée' in msg.lower()
or 'autre identité' in msg.lower()
for _cat, msg in flashes
), f'expected already-linked flash, got {flashes}'
# Bob's sso_subject untouched
refreshed = db.session.get(User, bob_id)
assert refreshed.sso_subject == 'ms-sub-A'
assert refreshed.sso_provider == 'microsoft'
finally:
db.session.rollback()
db.drop_all()
# ----------------------------------------------------------------------
# 18. I3 — finish-signup race: parallel /signup created the email
# ----------------------------------------------------------------------
def test_finish_signup_handles_concurrent_account_creation():
"""If user is created via /signup in another tab between OAuth callback
and finish-signup POST, /auth/oauth/finish-signup must redirect to
/login with a helpful French flash, not 500.
"""
import time as _time
with app.app_context():
_disable_csrf()
db.create_all()
try:
# Pre-create the user (simulating the parallel /signup that won)
racer = User(
username='raceuser',
email='race@x.ca',
password='$2b$12$abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMN',
email_verified=True,
)
db.session.add(racer)
db.session.commit()
racer_id = racer.id
with app.test_client() as client:
with client.session_transaction() as sess:
sess['oauth_signup_pending'] = {
'provider': 'microsoft',
'subject': 'ms-sub-race',
'userinfo': {
'email': 'race@x.ca',
'name': 'Race User',
'given_name': 'Race',
'family_name': 'User',
},
'created_at': _time.time(),
}
resp = client.post('/auth/oauth/finish-signup', data={
'consent_cgu': 'y',
'consent_confidentialite': 'y',
'consent_marketing': 'y',
'consent_analytics': 'y',
})
assert resp.status_code == 302
assert '/login' in resp.headers['Location']
with client.session_transaction() as sess:
assert 'oauth_signup_pending' not in sess
assert sess.get('_user_id') is None
flashes = sess.get('_flashes', [])
assert any(
'compte dictia existe' in msg.lower()
for _cat, msg in flashes
), f'expected race-flash, got {flashes}'
# Original racer untouched
refreshed = db.session.get(User, racer_id)
assert refreshed.sso_subject is None
assert refreshed.sso_provider is None
# Only one User row for that email
assert User.query.filter_by(email='race@x.ca').count() == 1
finally:
db.session.rollback()
db.drop_all()
# ----------------------------------------------------------------------
# 19. I2 single-use — magic-link token rejected on second consume (unit test)
# ----------------------------------------------------------------------
def test_magic_link_token_is_single_use():
"""Replaying a magic-link token within the validity window must fail
at the function level (no Flask request needed). Complements the
integration coverage in test_magic_link_consume_logs_in_user_with_valid_token."""
with app.app_context():
from src.auth.magic_link import (
generate_magic_link_token,
consume_magic_link_token,
)
token = generate_magic_link_token(424242)
first = consume_magic_link_token(token)
assert first == 424242, f'first consume should return user_id, got {first}'
second = consume_magic_link_token(token)
assert second is None, f'replay should return None, got {second}'
third = consume_magic_link_token(token)
assert third is None, f'second replay should also return None, got {third}'
# ----------------------------------------------------------------------
# 20. I4 — finish-signup expires stale OAuth signup sessions
# ----------------------------------------------------------------------
def test_finish_signup_expires_stale_oauth_session():
"""Session blob older than 15 min triggers a graceful expiry redirect."""
import time as _time
with app.app_context():
_disable_csrf()
db.create_all()
try:
with app.test_client() as client:
with client.session_transaction() as sess:
sess['oauth_signup_pending'] = {
'provider': 'google',
'subject': 'stale-sub-001',
'userinfo': {
'email': 'stale@example.qc.ca',
'name': 'Stale User',
'given_name': 'Stale',
'family_name': 'User',
},
# 16 minutes ago — past the 15-min expiry
'created_at': _time.time() - 16 * 60,
}
resp = client.get('/auth/oauth/finish-signup')
assert resp.status_code == 302
assert '/login' in resp.headers['Location']
with client.session_transaction() as sess:
assert 'oauth_signup_pending' not in sess
flashes = sess.get('_flashes', [])
assert any(
'expir' in msg.lower() or 'recommencez' in msg.lower()
for _cat, msg in flashes
), f'expected expiry flash, got {flashes}'
# No User created
assert User.query.filter_by(email='stale@example.qc.ca').first() is None
finally:
db.session.rollback()
db.drop_all()