fix(oauth): add callback error page for google oauth flow
This commit is contained in:
@@ -1,61 +1,59 @@
|
||||
from django.http import HttpResponseRedirect
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.http import HttpResponseRedirect
|
||||
from django_filters.rest_framework import DjangoFilterBackend
|
||||
from drf_spectacular.utils import extend_schema, inline_serializer
|
||||
from rest_framework import serializers, status
|
||||
from rest_framework.filters import OrderingFilter, SearchFilter
|
||||
from rest_framework.generics import ListAPIView, UpdateAPIView
|
||||
from rest_framework.mixins import DestroyModelMixin, RetrieveModelMixin, UpdateModelMixin
|
||||
from rest_framework.parsers import FormParser, MultiPartParser
|
||||
from rest_framework.permissions import AllowAny, IsAuthenticated
|
||||
from rest_framework.response import Response
|
||||
from rest_framework.views import APIView
|
||||
from rest_framework_simplejwt.authentication import JWTAuthentication
|
||||
from rest_framework.mixins import UpdateModelMixin, RetrieveModelMixin, DestroyModelMixin
|
||||
from rest_framework.viewsets import GenericViewSet
|
||||
|
||||
|
||||
from core.paginations.limit_offset import CustomLimitOffsetPagination
|
||||
from rest_framework_simplejwt.authentication import JWTAuthentication
|
||||
|
||||
from apps.users.api.serializers import (
|
||||
ChangePasswordSerializer,
|
||||
LoginOtpSerializer,
|
||||
LoginSerializer,
|
||||
GoogleOAuthClaimVerifySerializer,
|
||||
GoogleOAuthCompleteSerializer,
|
||||
GoogleOAuthFlowSerializer,
|
||||
LoginOtpSerializer,
|
||||
LoginSerializer,
|
||||
LogoutSerializer,
|
||||
RegisterSerializer,
|
||||
RegisterWithPasswordSerializer,
|
||||
ResetPasswordSerializer,
|
||||
SendOTPSerializer,
|
||||
TokenPairSerializer,
|
||||
UserListSerializer,
|
||||
UserProfilePictureSerializer,
|
||||
LogoutSerializer,
|
||||
TokenPairSerializer,
|
||||
RegisterWithPasswordSerializer,
|
||||
UserProfileSerializer,
|
||||
UserSearchSerializer,
|
||||
)
|
||||
from apps.users.api.throttles import (
|
||||
GoogleClaimSendBurstThrottle,
|
||||
GoogleClaimSendSustainedThrottle,
|
||||
GoogleClaimVerifyThrottle,
|
||||
OTPLoginThrottle,
|
||||
OTPSendBurstThrottle,
|
||||
OTPSendSustainedThrottle,
|
||||
PasswordLoginThrottle,
|
||||
GoogleClaimSendBurstThrottle,
|
||||
GoogleClaimSendSustainedThrottle,
|
||||
GoogleClaimVerifyThrottle,
|
||||
)
|
||||
from apps.users.services.auth import (
|
||||
register_user_with_password,
|
||||
register_user_with_otp,
|
||||
generate_and_send_otp,
|
||||
login_with_password,
|
||||
login_with_otp,
|
||||
reset_password_with_otp,
|
||||
change_password,
|
||||
logout_user
|
||||
generate_and_send_otp,
|
||||
login_with_otp,
|
||||
login_with_password,
|
||||
logout_user,
|
||||
register_user_with_otp,
|
||||
register_user_with_password,
|
||||
reset_password_with_otp,
|
||||
)
|
||||
from apps.users.services.google_oauth import (
|
||||
build_authenticated_flow_payload,
|
||||
build_google_authorization_url,
|
||||
build_google_callback_error_redirect_url,
|
||||
build_google_callback_redirect_url,
|
||||
build_pending_google_flow_payload,
|
||||
complete_google_signup,
|
||||
@@ -68,6 +66,7 @@ from apps.users.services.google_oauth import (
|
||||
sync_user_from_google_profile,
|
||||
verify_google_claim,
|
||||
)
|
||||
from core.paginations.limit_offset import CustomLimitOffsetPagination
|
||||
|
||||
User = get_user_model()
|
||||
|
||||
@@ -182,10 +181,16 @@ class GoogleOAuthCallbackView(APIView):
|
||||
@extend_schema(responses=None)
|
||||
def get(self, request):
|
||||
if request.query_params.get("error"):
|
||||
raise serializers.ValidationError(
|
||||
{"detail": request.query_params.get("error_description") or "Google sign-in was cancelled."}
|
||||
return HttpResponseRedirect(
|
||||
build_google_callback_error_redirect_url(
|
||||
code=request.query_params.get("error") or "google_sign_in_cancelled",
|
||||
detail=(
|
||||
request.query_params.get("error_description")
|
||||
or "Google sign-in was cancelled."
|
||||
),
|
||||
)
|
||||
|
||||
)
|
||||
try:
|
||||
consume_google_state(request.query_params.get("state"))
|
||||
profile = exchange_code_for_google_profile(request.query_params.get("code"))
|
||||
social_account = find_social_account_for_profile(profile)
|
||||
@@ -198,6 +203,20 @@ class GoogleOAuthCallbackView(APIView):
|
||||
|
||||
flow = create_google_flow(flow_payload)
|
||||
return HttpResponseRedirect(build_google_callback_redirect_url(flow))
|
||||
except serializers.ValidationError as exc:
|
||||
detail = exc.detail
|
||||
if isinstance(detail, dict):
|
||||
message = detail.get("detail", "Google sign-in could not be completed.")
|
||||
else:
|
||||
message = detail
|
||||
if isinstance(message, list):
|
||||
message = message[0] if message else "Google sign-in could not be completed."
|
||||
return HttpResponseRedirect(
|
||||
build_google_callback_error_redirect_url(
|
||||
code="google_callback_failed",
|
||||
detail=str(message),
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
class GoogleOAuthFlowView(APIView):
|
||||
|
||||
@@ -367,6 +367,16 @@ def build_google_callback_redirect_url(flow: str) -> str:
|
||||
return f"{get_frontend_google_callback_url()}?flow={flow}"
|
||||
|
||||
|
||||
def build_google_callback_error_redirect_url(*, code: str, detail: str) -> str:
|
||||
params = urlencode(
|
||||
{
|
||||
"error": code,
|
||||
"error_description": detail,
|
||||
}
|
||||
)
|
||||
return f"{get_frontend_google_callback_url()}?{params}"
|
||||
|
||||
|
||||
def find_social_account_for_profile(profile: GoogleProfile) -> UserSocialAccount | None:
|
||||
return (
|
||||
UserSocialAccount.objects.select_related("user")
|
||||
|
||||
@@ -7,7 +7,7 @@ from django.core.cache import cache
|
||||
from django.core.management import call_command
|
||||
from django.db import IntegrityError
|
||||
from django.test import override_settings
|
||||
from rest_framework import status
|
||||
from rest_framework import serializers, status
|
||||
from rest_framework.test import APIRequestFactory, APITestCase
|
||||
|
||||
from apps.users.api.views import RegisterWithPasswordView
|
||||
@@ -673,6 +673,41 @@ class GoogleOAuthApiTests(APITestCase):
|
||||
self.assertEqual(flow_response.data["resolution"], "new_account")
|
||||
self.assertIsNone(flow_response.data["mobile_hint"])
|
||||
|
||||
def test_google_callback_redirects_cancellation_back_to_frontend(self):
|
||||
response = self.client.get(
|
||||
"/api/users/oauth/google/callback/?error=access_denied&error_description=User%20cancelled",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn("/auth/google/callback?error=access_denied", response["Location"])
|
||||
self.assertIn("error_description=User+cancelled", response["Location"])
|
||||
|
||||
@patch("apps.users.api.views.exchange_code_for_google_profile")
|
||||
def test_google_callback_redirects_backend_errors_back_to_frontend(
|
||||
self,
|
||||
exchange_code_for_google_profile,
|
||||
):
|
||||
exchange_code_for_google_profile.side_effect = serializers.ValidationError(
|
||||
{"detail": "Google token exchange failed."}
|
||||
)
|
||||
|
||||
start_response = self.client.get("/api/users/oauth/google/start/")
|
||||
state = start_response["Location"].split("state=", 1)[1].split("&", 1)[0]
|
||||
|
||||
response = self.client.get(
|
||||
f"/api/users/oauth/google/callback/?state={state}&code=google-code",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn(
|
||||
"/auth/google/callback?error=google_callback_failed",
|
||||
response["Location"],
|
||||
)
|
||||
self.assertIn(
|
||||
"error_description=Google+token+exchange+failed.",
|
||||
response["Location"],
|
||||
)
|
||||
|
||||
@patch("apps.users.api.views.exchange_code_for_google_profile")
|
||||
def test_google_callback_redirects_with_email_claim_flow_for_matching_email(
|
||||
self,
|
||||
|
||||
Reference in New Issue
Block a user