dictia-public

Author SHA1 Message Date

Author	SHA1	Message	Date
Allison	3a41bb482d	fix(auth): B-2.4 security review fixes — OAuth linking + magic link replay Follow-up to commit `0513e67` addressing 2 critical OAuth account-takeover vulnerabilities and 5 important issues found in the security review. Critical fixes: - C1: gate OAuth email-link on ``email_verified is True`` (strict bool) in find_user_by_oauth + callback. Hostile Microsoft personal account or Workspace tenant returning email_verified=False (or omitting the claim) can no longer auto-link to an existing account. Callback shows a friendly French flash + redirect to /login when the email exists but the IdP didn't verify it. - C2: refuse to overwrite an existing sso_subject in find_user_by_oauth. A second IdP claiming the victim's email (Google after Microsoft, or a hostile second Microsoft tenant) now raises PermissionError instead of silently re-binding the User row, which would lock the legitimate user out. Callback catches and flashes the error message in French. Important fixes: - I1: replace ``except Exception: pass`` in init_oauth_providers with an idempotency pre-check on _oauth._clients. Real registration errors (bad metadata URL, network failure) now surface as exceptions instead of being silently swallowed at app boot. - I2: single-use enforcement for magic-link tokens via in-process JTI cache (_consumed_jtis dict). Replay within the 15-min validity window now returns None. SECRET_KEY is now strictly required (no default-dev-key fallback). Operator-facing comment documents that /auth/magic-link/* should also be scrubbed from Cloudflare/Flask access logs as defence in depth. - I3: pre-check email collision in create_oauth_user_with_consent and raise dedicated EmailAlreadyExistsError. Race against parallel /signup in another tab between OAuth callback and finish-signup POST now redirects to /login with a helpful French flash instead of burning 5 retry attempts and surfacing a 500. - I4: oauth_signup_pending session blob now carries a created_at timestamp; finish-signup rejects sessions older than 15 min with a graceful expiry flash + redirect to /login. - I5: init_oauth_providers logs an INFO when no providers are enabled so operators can spot misconfigured deployments. Tests: 16 → 21 (5 new): - test_oauth_callback_refuses_link_when_email_not_verified (C1) - test_oauth_callback_refuses_to_overwrite_existing_sso_subject (C2) - test_finish_signup_handles_concurrent_account_creation (I3) - test_finish_signup_expires_stale_oauth_session (I4) - test_magic_link_token_is_single_use (I2) Existing tests updated for new contract: - test_oauth_callback_links_existing_user_by_email now sets email_verified=True in the mock token (required by C1 gate). - test_finish_signup_requires_cgu_and_confidentialite and test_finish_signup_creates_user_and_4_consent_logs now seed created_at in the session blob (required by I4 expiry check). - test_magic_link_consume_logs_in_user_with_valid_token now also asserts a second consume of the same token returns None and redirects to /auth/magic-link with an invalid/expired flash. Verified: 21/21 OAuth+magic-link tests pass; 16/16 email service tests still pass (no regression in adjacent surface). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 23:50:55 -04:00
Allison	0513e67838	feat(auth): B-2.4 OAuth Microsoft/Google + magic link (Loi 25 deferred consent) Adds Microsoft 365 + Google OAuth providers (separate from the existing generic OIDC SSO at src/auth/sso.py) and a passwordless magic-link login flow. New OAuth signups capture Loi 25 art. 14 consents (4 granular checkboxes) BEFORE creating the User row via /auth/oauth/finish-signup. Per compatibility-audit.md C2: - No src/auth_extended/ directory — extends src/auth/ in place - No new User columns — reuses sso_provider/sso_subject + email_verified - Magic-link tokens via itsdangerous URLSafeTimedSerializer (15-min, no DB) - All routes added to existing auth_bp; templates extend marketing/base.html - Anti-enumeration on /auth/magic-link (generic flash for unknown OR unverified emails) and /auth/magic-link/<token> (same flash for invalid/expired/unverified-user) Files added: - src/auth/oauth_providers.py — Microsoft + Google OAuth registration, is_oauth_provider_enabled(), find_user_by_oauth(), create_oauth_user_with_consent() - src/auth/magic_link.py — generate/consume magic-link tokens - templates/auth/magic_link_request.html, templates/auth/oauth_finish_signup.html - tests/test_oauth_magic_link.py + tests/_run_oauth_magic_link_windows.py (16 tests) - config/env.oauth.example Files modified: - src/api/auth.py — 5 new routes (oauth_provider_login/callback, oauth_finish_signup, magic_link_request/consume); login flashes translated FR; oauth_*_enabled flags passed to login template - src/app.py — wires init_oauth_providers(app) after blueprint registration - src/services/email.py — adds send_magic_link_email() (FR + DictIA brand) - templates/login.html — refondu IN PLACE (was 178 lines legacy Vue/TW3) to extend marketing/base.html with OAuth buttons, password form, magic-link CTA, signup link - templates/auth/check_email.html — adds action='magic_link' branch - static/css/tailwind.config.js — adds templates/login.html to content - static/css/marketing.css — rebuilt Tests: 16/16 PASS via Windows manual driver. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 23:29:24 -04:00

Allison

3a41bb482d

fix(auth): B-2.4 security review fixes — OAuth linking + magic link replay

Follow-up to commit 0513e67 addressing 2 critical OAuth account-takeover
vulnerabilities and 5 important issues found in the security review.

Critical fixes:
- C1: gate OAuth email-link on ``email_verified is True`` (strict bool)
  in find_user_by_oauth + callback. Hostile Microsoft personal account
  or Workspace tenant returning email_verified=False (or omitting the
  claim) can no longer auto-link to an existing account. Callback shows
  a friendly French flash + redirect to /login when the email exists
  but the IdP didn't verify it.
- C2: refuse to overwrite an existing sso_subject in find_user_by_oauth.
  A second IdP claiming the victim's email (Google after Microsoft, or
  a hostile second Microsoft tenant) now raises PermissionError instead
  of silently re-binding the User row, which would lock the legitimate
  user out. Callback catches and flashes the error message in French.

Important fixes:
- I1: replace ``except Exception: pass`` in init_oauth_providers with an
  idempotency pre-check on _oauth._clients. Real registration errors
  (bad metadata URL, network failure) now surface as exceptions instead
  of being silently swallowed at app boot.
- I2: single-use enforcement for magic-link tokens via in-process JTI
  cache (_consumed_jtis dict). Replay within the 15-min validity window
  now returns None. SECRET_KEY is now strictly required (no
  default-dev-key fallback). Operator-facing comment documents that
  /auth/magic-link/* should also be scrubbed from Cloudflare/Flask
  access logs as defence in depth.
- I3: pre-check email collision in create_oauth_user_with_consent and
  raise dedicated EmailAlreadyExistsError. Race against parallel /signup
  in another tab between OAuth callback and finish-signup POST now
  redirects to /login with a helpful French flash instead of burning 5
  retry attempts and surfacing a 500.
- I4: oauth_signup_pending session blob now carries a created_at
  timestamp; finish-signup rejects sessions older than 15 min with a
  graceful expiry flash + redirect to /login.
- I5: init_oauth_providers logs an INFO when no providers are enabled
  so operators can spot misconfigured deployments.

Tests: 16 → 21 (5 new):
- test_oauth_callback_refuses_link_when_email_not_verified (C1)
- test_oauth_callback_refuses_to_overwrite_existing_sso_subject (C2)
- test_finish_signup_handles_concurrent_account_creation (I3)
- test_finish_signup_expires_stale_oauth_session (I4)
- test_magic_link_token_is_single_use (I2)

Existing tests updated for new contract:
- test_oauth_callback_links_existing_user_by_email now sets
  email_verified=True in the mock token (required by C1 gate).
- test_finish_signup_requires_cgu_and_confidentialite and
  test_finish_signup_creates_user_and_4_consent_logs now seed
  created_at in the session blob (required by I4 expiry check).
- test_magic_link_consume_logs_in_user_with_valid_token now also
  asserts a second consume of the same token returns None and
  redirects to /auth/magic-link with an invalid/expired flash.

Verified: 21/21 OAuth+magic-link tests pass; 16/16 email service tests
still pass (no regression in adjacent surface).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-27 23:50:55 -04:00

Allison

0513e67838

feat(auth): B-2.4 OAuth Microsoft/Google + magic link (Loi 25 deferred consent)

Adds Microsoft 365 + Google OAuth providers (separate from the existing
generic OIDC SSO at src/auth/sso.py) and a passwordless magic-link login
flow. New OAuth signups capture Loi 25 art. 14 consents (4 granular
checkboxes) BEFORE creating the User row via /auth/oauth/finish-signup.

Per compatibility-audit.md C2:
- No src/auth_extended/ directory — extends src/auth/ in place
- No new User columns — reuses sso_provider/sso_subject + email_verified
- Magic-link tokens via itsdangerous URLSafeTimedSerializer (15-min, no DB)
- All routes added to existing auth_bp; templates extend marketing/base.html
- Anti-enumeration on /auth/magic-link (generic flash for unknown OR
  unverified emails) and /auth/magic-link/<token> (same flash for
  invalid/expired/unverified-user)

Files added:
- src/auth/oauth_providers.py — Microsoft + Google OAuth registration,
  is_oauth_provider_enabled(), find_user_by_oauth(), create_oauth_user_with_consent()
- src/auth/magic_link.py — generate/consume magic-link tokens
- templates/auth/magic_link_request.html, templates/auth/oauth_finish_signup.html
- tests/test_oauth_magic_link.py + tests/_run_oauth_magic_link_windows.py (16 tests)
- config/env.oauth.example

Files modified:
- src/api/auth.py — 5 new routes (oauth_provider_login/callback,
  oauth_finish_signup, magic_link_request/consume); login flashes translated FR;
  oauth_*_enabled flags passed to login template
- src/app.py — wires init_oauth_providers(app) after blueprint registration
- src/services/email.py — adds send_magic_link_email() (FR + DictIA brand)
- templates/login.html — refondu IN PLACE (was 178 lines legacy Vue/TW3)
  to extend marketing/base.html with OAuth buttons, password form,
  magic-link CTA, signup link
- templates/auth/check_email.html — adds action='magic_link' branch
- static/css/tailwind.config.js — adds templates/login.html to content
- static/css/marketing.css — rebuilt

Tests: 16/16 PASS via Windows manual driver.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-27 23:29:24 -04:00

2 Commits