[FIX] Fixed login to OpenERP with Google OAuth2. Still fails when redirecting an authenticated user.

bzr revid: vta@openerp.com-20120813123333-b4jwsrn106lakbnh
2012-08-13 14:33:33 +02:00 · 2012-08-13 14:33:33 +02:00 · 7c3a72300c
parent d946d35ee0
commit 7c3a72300c
3 changed files with 32 additions and 20 deletions
--- a/addons/auth_oauth/controllers/main.py
+++ b/addons/auth_oauth/controllers/main.py
@ -1,4 +1,5 @@
 import logging
+import urllib2

 import werkzeug.urls

@ -21,10 +22,10 @@ class OAuthController(openerpweb.Controller):
                u = registry.get('res.users')
                r = u.auth_oauth(cr, 1, kw)
                cr.commit()
-                return openerp.addons.web.controllers.main.login_and_redirect(req, *r)
+                # return openerp.addons.web.controllers.main.login_and_redirect(req, *r)
                # or
-                req.authenticate(*r)
-                url = "/"
+                # req.authenticate(*r)
+                # url = "/"
            except AttributeError:
                # auth_signup is not installed
                url = "/#action=auth_signup&error=1"
@ -33,7 +34,6 @@ class OAuthController(openerpweb.Controller):
                url = "/#action=auth_signup&error=2"
        finally:
            cr.close()
-        return ""
-        return werkzeug.utils.redirect(url)
+        return werkzeug.utils.redirect("https://localhost")

 # vim:expandtab:tabstop=4:softtabstop=4:shiftwidth=4:
--- a/addons/auth_oauth/res_users.py
+++ b/addons/auth_oauth/res_users.py
@ -1,23 +1,27 @@
 import urllib2
+import simplejson

 import openerp

 from openerp.osv import osv, fields

 class res_users(osv.Model):
+
    _inherit = 'res.users'

    def auth_oauth(self, cr, uid, params, context=None):
-        print params
-        url = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=' + params.get('access_token')
-        f = urllib2.urlopen(url)
-        validation = f.read()
-        print validation
+        # Advice by Google (to avoid Confused Deputy Problem)
+        # if validation.audience != OUR_CLIENT_ID:
+        #   abort()
+        # else:
+        #   continue with the process
+        login = self.auth_oauth_fetch_user_validation(cr, uid, params)['email']
+        password = self.auth_oauth_fetch_user_validation(cr, uid, params)['user_id']
+        name = self.auth_oauth_fetch_user_data(cr, uid, params)['name']
        r = (cr.dbname, login, password)
        try:
            # check for existing user
            if not self.auth_signup_check(cr, uid, login, password):
-                print "NEW USER"
                # new user
                new_user = {
                    'name': name,
@ -26,15 +30,26 @@ class res_users(osv.Model):
                    'password': password,
                    'active': True,
                }
-                self.auth_signup_create(cr,uid, new_user)
+                self.auth_signup_create(cr, uid, new_user)
                return r
            else:
-                print "Existing same"
                # already existing with same password
                return r
        except openerp.exceptions.AccessDenied:
-            print "Existing different"
            # already existing with diffrent password
            raise
+    def auth_oauth_rpc(self, cr, uid, endpoint, params, context=None):
+        url = endpoint + params.get('access_token')
+        f = urllib2.urlopen(url)
+        validation = f.read()
+        return simplejson.loads(validation)
+
+    def auth_oauth_fetch_user_validation(self, cr, uid, params, context=None):
+        endpoint = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token='    
+        return self.auth_oauth_rpc(cr, uid, endpoint, params)
+
+    def auth_oauth_fetch_user_data(self, cr, uid, params):
+        endpoint = 'https://www.googleapis.com/oauth2/v1/userinfo?access_token='
+        return self.auth_oauth_rpc(cr, uid, endpoint, params)

 #
--- a/addons/auth_oauth/static/src/js/auth_oauth.js
+++ b/addons/auth_oauth/static/src/js/auth_oauth.js
@ -13,7 +13,7 @@ openerp.auth_oauth = function(instance) {
                response_type: 'token',
                client_id: '108010644258-duuhmp6pu7li4tsmnqg7j9rvdeklg0ki.apps.googleusercontent.com',
                redirect_uri: 'https://localhost/',
-                scope: 'https://www.googleapis.com/auth/userinfo.email',
+                scope: 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile',
                state: state,
            };
            var url = endpoint + '?' + $.param(params);
@ -29,12 +29,9 @@ openerp.auth_oauth = function(instance) {
    instance.web.WebClient = instance.web.WebClient.extend({
        start: function() {
            this._super.apply(this, arguments);
-            var params = $.deparam(window.location.hash);
+            var params = $.deparam(window.location.hash.substring(1));
            if (params.hasOwnProperty('access_token')) {
-                // fix params for python marshmalling
-                params.state = params["#state"]
-                delete params["#state"]
-                var url = "/auth_oauth/signin" + '?' + $.param(params);
+                var url = "/auth_oauth/signin" + '?' + $.param(params);//alert(JSON.stringify(params));
                window.location = url;
            }
        },