BB2-4961: Switch Account Link#1649
Conversation
… missing code_verifier
…ith switch account
|
This can be followed up on in a future ticket, but I believe it would make sense to add this workflow to selenium tests. |
Definitely, I will write up a ticket for that |
|
Validation:
|
|
Did you hear back from @sb-benohe on the security question? |
No |
annamontare-nava
left a comment
There was a problem hiding this comment.
All the validation steps worked! I have some security questions that may be non-issues due to my own misunderstanding. I also think potentially we could add more tests to this.
| ] | ||
| oauth_params = {} | ||
| for param in params: | ||
| oauth_params[param] = self.request.GET.get(param) |
There was a problem hiding this comment.
Would this work if the request method was POST?
|
|
||
|
|
||
| def get_oauth_param(request: HttpRequest, parameter: str, fallback_session_parameter: str = None) -> str | None: | ||
| """Resolve an OAuth parameter from GET, then session, then session['oauth_params']. |
There was a problem hiding this comment.
Should this handle POST too?
There was a problem hiding this comment.
I looked at Splunk and I swore we were only getting GET requests on authorize endpoints, which is why I wrote it as so. Looking now, I do see some POST requests, so i'll add handling for that as a backup.
Co-authored-by: annamontare-nava <267455234+annamontare-nava@users.noreply.github.com>
I'm going to write a ticket to add a Selenium test for this. What other tests do you think need to be added before this can be merged? |
I think a selenium test would cover it! |
| 'code_challenge_method': CODE_CHALLENGE_METHOD_S256, | ||
| 'code_challenge': request.session.get('oauth_params', {}).get('code_challenge'), | ||
| 'scope': request.session.get('oauth_params', {}).get('scope'), | ||
| 'code_verifier': request.session.get('code_verifier'), |
There was a problem hiding this comment.
The code_verifier shouldn't be sent on the authorization request, no?
There was a problem hiding this comment.
Great catch. It doesn't come through on Postman auth requests (similar to our actual apps), but it does in testclient. So that is why it's included here, so the testclient switch account flow works. I'll leave a comment to explain that.
There was a problem hiding this comment.
I think it should be set in the session, but not placed in the authorize url parameters later on.
There was a problem hiding this comment.
Is there a change you are suggesting? I didn't add it to the authorize url parameters, just making it so it is retrievable after switch account is clicked for testclient.
There was a problem hiding this comment.
It goes into the url parameters in line 1493 right?
JIRA Ticket:
BB2-4961
What Does This PR Do?
Ensures that a beneficiary on the v3 permissions screen can click the Switch account link, and be redirected back to the CSPs landing page, where they can then re-authorize and get an access token. This works via Postman and the testclient, though some extra code was needed for it to work for the testclient.
Some minor styling changes to the v3 permissions screen as well.
What Should Reviewers Watch For?
If you're reviewing this PR, please check for these things in particular:
Validation
Styling changes:
Switch account changes:
In Postman, go through a v3 auth flow. Log in as a user (BBUser00100), then click the switch account link at the top of the page
You will be redirected to the CSPs landing page, click Medicare.gov, and enter the credentials for BBUser00575
Click Share on the v3 permissions screen.
Run a v3 patient search call for your newly created token. If you used BBUser00575, the fhir_id_v3 should be a specific value that I can share with you (don't want to include in a PR)
In the testclient, go through a v3 auth flow. Log in as a user (BBUser00100), then click the switch account link at the top of the page
You will be redirected to the CSPs landing page, click Medicare.gov, and enter the credentials for BBUser00575
Click Share on the v3 permissions screen.
Click through every link on the testclient landing page to ensure they all work
Also go through testclient flows for v2/v3 without clicking switch account to ensure they still work. Do the same for Postman.
What Security Implications Does This PR Have?
Please indicate if this PR does any of the following:
None of the above apply necesarily, but @sb-benohe, curious if you have any concerns about logging a user out and then maintaining the oauth_params so another user can login.
security engineer's approval.
Any Migrations?
etc)