When a user's sub is defined, we don't want to allow any update
because it would break to many related data.
This fix is required since we changed the way user data is
updated in 7409ea8c6e
User model `sub` field may be nullable in certain projects, we make sure
the user is correctly updated in this case by using the User.id during
update.
Example of User.sub being nullable: in case of multi authentication
backends.
Example of project using a nullable User.sub: docs (lasuite).
Fixed
- 🐛(oidc) validate state param during silent login failure for CSRF protection
- 🐛(oidc) fix session persistence with Redis backend for OIDC flows
Fixes session persistence issues with OIDC flows, particularly when
using a Redis backend, and strengthens OIDC security.
Key changes include:
**Session Persistence (Redis)**:
- Forcing immediate session saving (`request.session.modified = True`
and `request.session.save()`) in OIDC logout and authentication
views. This is crucial for cache-based session backends like Redis
to ensure OIDC states are persisted before redirects.
- Simplified session creation by calling `session.create()` BEFORE
`super().get()` instead of after (more logical flow).
- Removed unnecessary state merging logic that was over-engineering.
**Security Enhancements**:
- Added CSRF protection by validating the state parameter even during
silent login failures (error=login_required).
- State is now preserved (not deleted) on error=login_required to
allow the SSO provider to send a subsequent callback with the
authorization code using the same state.
- Enforced strict state parameter validation during silent login
failures (`error=login_required`), raising `SuspiciousOperation`
if state is missing or invalid.
- Graceful handling of logout callbacks without state parameter to
accommodate SSO providers sending preflight requests.
**Testing**:
- Added comprehensive tests for silent login security validation
(invalid state, missing state, valid state).
- Updated test expectations to match new behavior where states are
preserved during silent login failures.
- Added test for logout callback without state parameter.
These changes enhance both the reliability and security of OIDC
login and logout flows, especially in distributed environments
using Redis for session management.
This endpoint can be called by the IdP to kill all the user
sessions.
In order to allow to kill only one session, we need to store the
session ID when login from IdP...
We want to monitor the usage of a scope throttle. We want to know when a
throttle fails in order to determine if the rate is accurate or not.
To allow custom monitoring, a callback can be use. For example you can
capture a message in sentry instead logging a warning.
The parameters field in the MalwareDetection model does not use a
callable as default value, triggering a fields.E010 warning. We have to
use the `dict` callable instead.
We added a management command to force to launch pending analysis. This
management command can be run periodically in a cron in order to have a
pending analysis blocked and never run.
For the JCOP backend we need to limit the number of simultaneous files
analysis. The number of simultaneous analysis must be configurable, by
default we limit it to 15.
To achieve this, we store in a table the pending analysis and a new
analysis is triggered at the end of a previous one.
Added
- ✨(configuration) add configuration Value to support file path
in environment #15
Changed
- ♻️(malware_detection) retry getting analyse result sooner
This supports use of environment variables that either reference
a value or a path to file containing the value. This is useful for
secrets, to avoid the secret to be in a world-readable environment
file.
Once an analyse started, we were wiating 30 seconds to try having a
first time the result and then the retry delay was always equal to 30
seconds between every retries. JCOP ask us to reduce this waiting time
to few seconds, an analyse job should start quickly and depending the
file size the result will be available in few seconds.
Added
✨(malware_detection) add a module malware_detection #11
Fixed
- 🐛(oidc) fix resource server client when using JSON introspection #16
- 🔊(oidc) improve resource server log for inactive user #17
- 🐛(oidc) use the OIDC_USER_SUB_FIELD when needed #18
- 🩹(oidc) remove deprecated cgi use #19
The claims validation was making an error when the user is inactive
making debug session quite complex. This does not change the behavior
but add more explicit logs.
The client was always requesting for a JWT introspection reponse even if
we wanted a JSON. This commit fixes the issue by hard linking the
resource server client to the resource server backend we use.
