fix(socialaccount): Drop use of SocialToken.__str__

pennersr · Jul 11, 2024 · 11fa4e8 · 11fa4e8
1 parent a41085c
commit 11fa4e8
Show file tree

Hide file tree

Showing 11 changed files with 35 additions and 18 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,3 +1,14 @@
+0.63.5 (2024-07-11)
+*******************
+
+Fixes
+-----
+
+- The security fix in 0.63.4 that altered the ``__str__()`` of ``SocialToken``
+  caused issues within the Amazon Cognito, Atlassian, JupyterHub, LemonLDAP,
+  Nextcloud and OpenID Connect providers. Fixed.
+
+
 0.63.4 (2024-07-10)
 *******************
 

diff --git a/allauth/__init__.py b/allauth/__init__.py
@@ -8,7 +8,7 @@
 
 """
 
-VERSION = (0, 63, 4, "final", 0)
+VERSION = (0, 63, 5, "final", 0)
 
 __title__ = "django-allauth"
 __version_info__ = VERSION

diff --git a/allauth/socialaccount/providers/amazon_cognito/views.py b/allauth/socialaccount/providers/amazon_cognito/views.py
@@ -1,5 +1,6 @@
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.oauth2.views import (
     OAuth2Adapter,
     OAuth2CallbackView,
@@ -39,9 +40,9 @@ def authorize_url(self):
     def profile_url(self):
         return "{}/oauth2/userInfo".format(self.domain)
 
-    def complete_login(self, request, app, access_token, **kwargs):
+    def complete_login(self, request, app, token: SocialToken, **kwargs):
         headers = {
-            "Authorization": "Bearer {}".format(access_token),
+            "Authorization": "Bearer {}".format(token.token),
         }
         extra_data = (
             get_adapter().get_requests_session().get(self.profile_url, headers=headers)

diff --git a/allauth/socialaccount/providers/atlassian/views.py b/allauth/socialaccount/providers/atlassian/views.py
@@ -1,4 +1,5 @@
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.oauth2.views import (
     OAuth2Adapter,
     OAuth2CallbackView,
@@ -12,9 +13,9 @@ class AtlassianOAuth2Adapter(OAuth2Adapter):
     authorize_url = "https://auth.atlassian.com/authorize"
     profile_url = "https://api.atlassian.com/me"
 
-    def complete_login(self, request, app, access_token, **kwargs):
+    def complete_login(self, request, app, token: SocialToken, **kwargs):
         headers = {
-            "Authorization": f"Bearer {access_token}",
+            "Authorization": f"Bearer {token.token}",
             "Accept": "application/json",
         }
         response = (

diff --git a/allauth/socialaccount/providers/jupyterhub/views.py b/allauth/socialaccount/providers/jupyterhub/views.py
@@ -1,5 +1,6 @@
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.oauth2.views import (
     OAuth2Adapter,
     OAuth2CallbackView,
@@ -17,8 +18,8 @@ class JupyterHubOAuth2Adapter(OAuth2Adapter):
     authorize_url = "{0}/hub/api/oauth2/authorize".format(provider_base_url)
     profile_url = "{0}/hub/api/user".format(provider_base_url)
 
-    def complete_login(self, request, app, access_token, **kwargs):
-        headers = {"Authorization": "Bearer {0}".format(access_token)}
+    def complete_login(self, request, app, token: SocialToken, **kwargs):
+        headers = {"Authorization": "Bearer {0}".format(token.token)}
 
         extra_data = (
             get_adapter().get_requests_session().get(self.profile_url, headers=headers)

diff --git a/allauth/socialaccount/providers/lemonldap/views.py b/allauth/socialaccount/providers/lemonldap/views.py
@@ -1,5 +1,6 @@
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.oauth2.views import (
     OAuth2Adapter,
     OAuth2CallbackView,
@@ -17,11 +18,11 @@ class LemonLDAPOAuth2Adapter(OAuth2Adapter):
     authorize_url = "{0}/oauth2/authorize".format(provider_base_url)
     profile_url = "{0}/oauth2/userinfo".format(provider_base_url)
 
-    def complete_login(self, request, app, token, response):
+    def complete_login(self, request, app, token: SocialToken, response):
         response = (
             get_adapter()
             .get_requests_session()
-            .post(self.profile_url, headers={"Authorization": "Bearer " + str(token)})
+            .post(self.profile_url, headers={"Authorization": "Bearer " + token.token})
         )
         response.raise_for_status()
         extra_data = response.json()

diff --git a/allauth/socialaccount/providers/nextcloud/views.py b/allauth/socialaccount/providers/nextcloud/views.py
@@ -3,6 +3,7 @@
 from allauth.core import context
 from allauth.socialaccount import app_settings
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.oauth2.views import (
     OAuth2Adapter,
     OAuth2CallbackView,
@@ -34,12 +35,12 @@ def authorize_url(self):
     def profile_url(self):
         return self._build_server_url("/ocs/v1.php/cloud/users/")
 
-    def complete_login(self, request, app, token, **kwargs):
+    def complete_login(self, request, app, token: SocialToken, **kwargs):
         extra_data = self.get_user_info(token, kwargs["response"]["user_id"])
         return self.get_provider().sociallogin_from_response(request, extra_data)
 
-    def get_user_info(self, token, user_id):
-        headers = {"Authorization": "Bearer {0}".format(token)}
+    def get_user_info(self, token: SocialToken, user_id):
+        headers = {"Authorization": "Bearer {0}".format(token.token)}
         resp = (
             get_adapter()
             .get_requests_session()

diff --git a/allauth/socialaccount/providers/openid_connect/views.py b/allauth/socialaccount/providers/openid_connect/views.py
@@ -1,6 +1,7 @@
 from django.urls import reverse
 
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.oauth2.views import (
     OAuth2Adapter,
     OAuth2CallbackView,
@@ -44,11 +45,11 @@ def authorize_url(self):
     def profile_url(self):
         return self.openid_config["userinfo_endpoint"]
 
-    def complete_login(self, request, app, token, response):
+    def complete_login(self, request, app, token: SocialToken, response):
         response = (
             get_adapter()
             .get_requests_session()
-            .get(self.profile_url, headers={"Authorization": "Bearer " + str(token)})
+            .get(self.profile_url, headers={"Authorization": "Bearer " + token.token})
         )
         response.raise_for_status()
         extra_data = response.json()

diff --git a/docs/conf.py b/docs/conf.py
@@ -53,9 +53,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "0.63.4"
+version = "0.63.5"
 # The full version, including alpha/beta/rc tags.
-release = "0.63.4"
+release = "0.63.5"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/examples/react-spa/backend/requirements.txt b/examples/react-spa/backend/requirements.txt
@@ -1,2 +1,2 @@
-django-allauth[mfa,socialaccount]>=0.63.4
+django-allauth[mfa,socialaccount]>=0.63.5
 qrcode >= 7.0.0
diff --git a/examples/regular-django/requirements.txt b/examples/regular-django/requirements.txt
@@ -1 +1 @@
-django-allauth[mfa,saml,socialaccount]>=0.63.4
+django-allauth[mfa,saml,socialaccount]>=0.63.5