Refactor YouTube authentication flow and update settings for security enhancements

2025-06-14 17:37:37 +02:00 · 2025-06-14 17:37:37 +02:00 · fc1ec45ab4
commit fc1ec45ab4
parent a0d6fb81cd
2 changed files with 23 additions and 18 deletions
--- a/game/views.py
+++ b/game/views.py
@ -305,22 +305,6 @@ class GameDetailView(LoginRequiredMixin, DetailView):
        )


-class YoutubeLoginView(LoginRequiredMixin, View):
-    def get(self, request):
-        flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
-            settings.YOUTUBE_OAUTH_SECRETS,
-            ["https://www.googleapis.com/auth/youtube.force-ssl"],
-        )
-        flow.redirect_uri = "https://localhost/youtube_callback/"
-        auth_url, state = flow.authorization_url(
-            access_type="offline",
-            include_granted_scopes="true",
-            prompt="consent",
-        )
-        self.request.session["state"] = state
-        return redirect(auth_url)
-
-
 class YoutubeCallbackView(LoginRequiredMixin, View):
    def get(self, request):
        if err := request.GET.get("error"):
@ -335,7 +319,7 @@ class YoutubeCallbackView(LoginRequiredMixin, View):
            ["https://www.googleapis.com/auth/youtube.force-ssl"],
            state=state,
        )
-        flow.redirect_uri = "https://localhost/youtube_callback/"
+        flow.redirect_uri = request.build_absolute_uri("/youtube_callback/")

        flow.fetch_token(code=request.GET.get("code"))

@ -358,6 +342,22 @@ class YoutubeCallbackView(LoginRequiredMixin, View):
        return redirect("/")


+class YoutubeLoginView(LoginRequiredMixin, View):
+    def get(self, request):
+        flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
+            settings.YOUTUBE_OAUTH_SECRETS,
+            ["https://www.googleapis.com/auth/youtube.force-ssl"],
+        )
+        flow.redirect_uri = request.build_absolute_uri("/youtube_callback/")
+        auth_url, state = flow.authorization_url(
+            access_type="offline",
+            include_granted_scopes="true",
+            prompt="consent",
+        )
+        self.request.session["state"] = state
+        return redirect(auth_url)
+
+
 class GroupClearBlacklistView(OwnerFilterMixin, SingleObjectMixin, View):
    model = models.Group

--- a/musik/settings.py
+++ b/musik/settings.py
@ -21,7 +21,10 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/

 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-&z*xu$^w8btr(%1!y#+0a98)l_q*+*6z54611pi678mdpsar_="
+SECRET_KEY = os.getenv(
+    "MUSIK_SECRET_KEY",
+    "django-insecure-&z*xu$^w8btr(%1!y#+0a98)l_q*+*6z54611pi678mdpsar_=",
+)

 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = "DEBUG" in os.environ
@ -29,6 +32,8 @@ DEBUG = "DEBUG" in os.environ
 HOST = os.getenv("MUSIK_HOST", "localhost")
 ALLOWED_HOSTS = [HOST]
 CSRF_TRUSTED_ORIGINS = [f"https://{HOST}"]
+USE_X_FORWARDED_HOST = True
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")


 # Application definition