edpibu/musik
edpibu/musik
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Refactor YouTube authentication flow and update settings for security enhancements

Browse source
This commit is contained in:
Edgar P. Burkhart 2025-06-14 17:37:37 +02:00
parent a0d6fb81cd
commit fc1ec45ab4
Signed by: edpibu
GPG key ID: 9833D3C5A25BD227
2 changed files with 23 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

34
game/views.py
View file

@ -305,22 +305,6 @@ class GameDetailView(LoginRequiredMixin, DetailView):
) )
class YoutubeLoginView(LoginRequiredMixin, View):
def get(self, request):
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
settings.YOUTUBE_OAUTH_SECRETS,
["https://www.googleapis.com/auth/youtube.force-ssl"],
)
flow.redirect_uri = "https://localhost/youtube_callback/"
auth_url, state = flow.authorization_url(
access_type="offline",
include_granted_scopes="true",
prompt="consent",
)
self.request.session["state"] = state
return redirect(auth_url)
class YoutubeCallbackView(LoginRequiredMixin, View): class YoutubeCallbackView(LoginRequiredMixin, View):
def get(self, request): def get(self, request):
if err := request.GET.get("error"): if err := request.GET.get("error"):
@ -335,7 +319,7 @@ class YoutubeCallbackView(LoginRequiredMixin, View):
["https://www.googleapis.com/auth/youtube.force-ssl"], ["https://www.googleapis.com/auth/youtube.force-ssl"],
state=state, state=state,
) )
flow.redirect_uri = "https://localhost/youtube_callback/" flow.redirect_uri = request.build_absolute_uri("/youtube_callback/")
flow.fetch_token(code=request.GET.get("code")) flow.fetch_token(code=request.GET.get("code"))
@ -358,6 +342,22 @@ class YoutubeCallbackView(LoginRequiredMixin, View):
return redirect("/") return redirect("/")
class YoutubeLoginView(LoginRequiredMixin, View):
def get(self, request):
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
settings.YOUTUBE_OAUTH_SECRETS,
["https://www.googleapis.com/auth/youtube.force-ssl"],
)
flow.redirect_uri = request.build_absolute_uri("/youtube_callback/")
auth_url, state = flow.authorization_url(
access_type="offline",
include_granted_scopes="true",
prompt="consent",
)
self.request.session["state"] = state
return redirect(auth_url)
class GroupClearBlacklistView(OwnerFilterMixin, SingleObjectMixin, View): class GroupClearBlacklistView(OwnerFilterMixin, SingleObjectMixin, View):
model = models.Group model = models.Group

7
musik/settings.py
View file

@ -21,7 +21,10 @@ BASE_DIR = Path(__file__).resolve().parent.parent
# See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/ # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret! # SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = "django-insecure-&z*xu$^w8btr(%1!y#+0a98)l_q*+*6z54611pi678mdpsar_=" SECRET_KEY = os.getenv(
"MUSIK_SECRET_KEY",
"django-insecure-&z*xu$^w8btr(%1!y#+0a98)l_q*+*6z54611pi678mdpsar_=",
)
# SECURITY WARNING: don't run with debug turned on in production! # SECURITY WARNING: don't run with debug turned on in production!
DEBUG = "DEBUG" in os.environ DEBUG = "DEBUG" in os.environ
@ -29,6 +32,8 @@ DEBUG = "DEBUG" in os.environ
HOST = os.getenv("MUSIK_HOST", "localhost") HOST = os.getenv("MUSIK_HOST", "localhost")
ALLOWED_HOSTS = [HOST] ALLOWED_HOSTS = [HOST]
CSRF_TRUSTED_ORIGINS = [f"https://{HOST}"] CSRF_TRUSTED_ORIGINS = [f"https://{HOST}"]
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
# Application definition # Application definition