From b6eb5ebc7a1f9e6416892604e13e5a7baaa7f83e Mon Sep 17 00:00:00 2001 From: Rushil Srivastava Date: Mon, 14 Feb 2022 19:02:21 -0800 Subject: [PATCH] :bug: Clear state from session in OAuth2 apps --- authlib/integrations/django_client/apps.py | 1 + authlib/integrations/flask_client/apps.py | 1 + authlib/integrations/starlette_client/apps.py | 1 + 3 files changed, 3 insertions(+) diff --git a/authlib/integrations/django_client/apps.py b/authlib/integrations/django_client/apps.py index 99768a5a..4e23e8c6 100644 --- a/authlib/integrations/django_client/apps.py +++ b/authlib/integrations/django_client/apps.py @@ -76,6 +76,7 @@ def authorize_access_token(self, request, **kwargs): } state_data = self.framework.get_state_data(request.session, params.get('state')) + self.framework.clear_state_data(request.session, params.get('state')) params = self._format_state_params(state_data, params) token = self.fetch_access_token(**params, **kwargs) diff --git a/authlib/integrations/flask_client/apps.py b/authlib/integrations/flask_client/apps.py index d9a58503..89a5893a 100644 --- a/authlib/integrations/flask_client/apps.py +++ b/authlib/integrations/flask_client/apps.py @@ -98,6 +98,7 @@ def authorize_access_token(self, **kwargs): } state_data = self.framework.get_state_data(session, params.get('state')) + self.framework.clear_state_data(session, params.get('state')) params = self._format_state_params(state_data, params) token = self.fetch_access_token(**params, **kwargs) self.token = token diff --git a/authlib/integrations/starlette_client/apps.py b/authlib/integrations/starlette_client/apps.py index 5304eba9..5b0f4356 100644 --- a/authlib/integrations/starlette_client/apps.py +++ b/authlib/integrations/starlette_client/apps.py @@ -70,6 +70,7 @@ async def authorize_access_token(self, request, **kwargs): session = request.session state_data = await self.framework.get_state_data(session, params.get('state')) + await self.framework.clear_state_data(session, params.get('state')) params = self._format_state_params(state_data, params) token = await self.fetch_access_token(**params, **kwargs)