mdornseif/login.diff

## login.diff
mistakenot-2:appengine-toolkit md$ git diff
diff --git i/gaetk/handler.py w/gaetk/handler.py
index aeb7ebe..e50d63d 100755
--- i/gaetk/handler.py
+++ w/gaetk/handler.py
@@ -24,10 +24,12 @@ import base64
 import datetime
 import hashlib
 import os
+import string
 import time
 import urllib
 import urlparse
 import uuid
+import random
 import warnings

 from functools import partial
@@ -178,6 +180,10 @@ class BasicHandler(webapp2.RequestHandler):
             self.session = {}
         super(BasicHandler, self).__init__(*args, **kwargs)
         self.credential = None
+        if 'secret_state' not in self.session:
+            self.session['secret_state'] = ''.join(random.choice(string.ascii_uppercase + string.digits)
+                    for x in xrange(32))
+

     def abs_url(self, url):
         """Converts an relative into an absolute URL."""
diff --git i/gaetk/login.py w/gaetk/login.py
index 7e13820..14c7c51 100755
--- i/gaetk/login.py
+++ w/gaetk/login.py
@@ -136,9 +136,6 @@ class LoginHandler(BasicHandler):
 def get_oauth_url(session, request):
     # Create a state token to prevent request forgery.
     # Store it in the session for later validation.
-    state = ''.join(random.choice(string.ascii_uppercase + string.digits)
-                    for x in xrange(32))
-    session['oauth_state'] = state
     # Set the client ID, token state, and application name in the HTML while
     # serving it.
     url = config.OAUTH['web']['auth_uri']
@@ -147,7 +144,7 @@ def get_oauth_url(session, request):
         response_type="code",
         scope="openid email profile",
         redirect_uri=get_oauth_callback_url(request),
-        state=state,
+        state=session.get('secret_state', 'X'),
         # login_hint="jsmith@example.com", TODO: gaetkoauthmail
     )
     if len(LOGIN_ALLOWED_DOMAINS) == 1:
@@ -202,9 +199,9 @@ class OAuth2Callback(BasicHandler):
         # https://dev-md-dot-hudoraexpress.appspot.com/oauth2callback?

         # 3. Confirm anti-forgery state token
-        if self.request.get('state') != self.session.get('oauth_state'):
+        if self.request.get('state') != self.session.get('secret_state', 'X'):
             raise RuntimeError("wrong state: %r != %r" % (
-                self.request.get('state'), self.session.get('oauth_state')))
+                self.request.get('state'), self.session.get('secret_state', 'X')))
         if LOGIN_ALLOWED_DOMAINS and self.request.get('hd') not in LOGIN_ALLOWED_DOMAINS:
             raise RuntimeError("wrong domain: %r not in %r" % (
                 self.request.get('hd'), LOGIN_ALLOWED_DOMAINS))
	mistakenot-2:appengine-toolkit md$ git diff
	diff --git i/gaetk/handler.py w/gaetk/handler.py
	index aeb7ebe..e50d63d 100755
	--- i/gaetk/handler.py
	+++ w/gaetk/handler.py
	@@ -24,10 +24,12 @@ import base64
	import datetime
	import hashlib
	import os
	+import string
	import time
	import urllib
	import urlparse
	import uuid
	+import random
	import warnings

	from functools import partial
	@@ -178,6 +180,10 @@ class BasicHandler(webapp2.RequestHandler):
	self.session = {}
	super(BasicHandler, self).__init__(args, *kwargs)
	self.credential = None
	+ if 'secret_state' not in self.session:
	+ self.session['secret_state'] = ''.join(random.choice(string.ascii_uppercase + string.digits)
	+ for x in xrange(32))
	+

	def abs_url(self, url):
	"""Converts an relative into an absolute URL."""
	diff --git i/gaetk/login.py w/gaetk/login.py
	index 7e13820..14c7c51 100755
	--- i/gaetk/login.py
	+++ w/gaetk/login.py
	@@ -136,9 +136,6 @@ class LoginHandler(BasicHandler):
	def get_oauth_url(session, request):
	# Create a state token to prevent request forgery.
	# Store it in the session for later validation.
	- state = ''.join(random.choice(string.ascii_uppercase + string.digits)
	- for x in xrange(32))
	- session['oauth_state'] = state
	# Set the client ID, token state, and application name in the HTML while
	# serving it.
	url = config.OAUTH['web']['auth_uri']
	@@ -147,7 +144,7 @@ def get_oauth_url(session, request):
	response_type="code",
	scope="openid email profile",
	redirect_uri=get_oauth_callback_url(request),
	- state=state,
	+ state=session.get('secret_state', 'X'),
	# login_hint="jsmith@example.com", TODO: gaetkoauthmail
	)
	if len(LOGIN_ALLOWED_DOMAINS) == 1:
	@@ -202,9 +199,9 @@ class OAuth2Callback(BasicHandler):
	# https://dev-md-dot-hudoraexpress.appspot.com/oauth2callback?

	# 3. Confirm anti-forgery state token
	- if self.request.get('state') != self.session.get('oauth_state'):
	+ if self.request.get('state') != self.session.get('secret_state', 'X'):
	raise RuntimeError("wrong state: %r != %r" % (
	- self.request.get('state'), self.session.get('oauth_state')))
	+ self.request.get('state'), self.session.get('secret_state', 'X')))
	if LOGIN_ALLOWED_DOMAINS and self.request.get('hd') not in LOGIN_ALLOWED_DOMAINS:
	raise RuntimeError("wrong domain: %r not in %r" % (
	self.request.get('hd'), LOGIN_ALLOWED_DOMAINS))