From e137c20cc6177fdcc40914d9c6f07fb78f80fd71 Mon Sep 17 00:00:00 2001
From: ManuTrt <emanuelthegamer@gmail.com>
Date: Sat, 8 Mar 2025 15:50:00 +0200
Subject: [PATCH] added pkce

---
 readerbench/settings.py            |  2 +-
 templates/registration/login.html  |  2 +-
 templates/registration/signup.html |  2 +-
 users/views.py                     | 41 ++++++++++++++++++++++++------
 4 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/readerbench/settings.py b/readerbench/settings.py
index 7e2c78f..1ac6e02 100644
--- a/readerbench/settings.py
+++ b/readerbench/settings.py
@@ -163,7 +163,7 @@
     'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore',
     # this is the list of available scopes
     'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'},
-    'PKCE_REQUIRED': False
+    'PKCE_REQUIRED': True
 }
 
 REST_FRAMEWORK = {
diff --git a/templates/registration/login.html b/templates/registration/login.html
index abe29ce..e9fac5f 100644
--- a/templates/registration/login.html
+++ b/templates/registration/login.html
@@ -112,7 +112,7 @@
 
                         <div class="card-footer text-center pt-0 px-lg-2 px-1">
                             <p class="mb-1 text-sm mx-auto">
-                              Don't have an account? <a href="{% if client_id %}{% url 'signup' %}?client_id={{ client_id }}&redirect_uri={{redirect_uri}}{% else %}{% url 'signup' %}{% endif %}"
+                              Don't have an account? <a href="{% if client_id %}{% url 'signup' %}?client_id={{ client_id }}&redirect_uri={{redirect_uri}}&code_challenge={{ code_challenge }}&code_challenge_method={{ code_challenge_method }}{% else %}{% url 'signup' %}{% endif %}"
                                 class="text-primary text-gradient font-weight-bold">Sign Up</a>
                             </p>
                           </div>
diff --git a/templates/registration/signup.html b/templates/registration/signup.html
index 5da98e4..8957aa4 100644
--- a/templates/registration/signup.html
+++ b/templates/registration/signup.html
@@ -146,7 +146,7 @@
 
             <div class="card-footer text-center pt-0 px-lg-2 px-1">
               <p class="mb-4 text-sm mx-auto">
-                Already have an account? <a href="{% if client_id %}{% url 'login' %}?client_id={{ client_id }}&redirect_uri={{redirect_uri}}{% else %}{% url 'login' %}{% endif %}"
+                Already have an account? <a href="{% if client_id %}{% url 'login' %}?client_id={{ client_id }}&redirect_uri={{redirect_uri}}&code_challenge={{ code_challenge }}&code_challenge_method={{ code_challenge_method }}{% else %}{% url 'login' %}{% endif %}"
                   class="text-primary text-gradient font-weight-bold">Sign In</a>
               </p>
             </div>
diff --git a/users/views.py b/users/views.py
index 4956348..8299910 100644
--- a/users/views.py
+++ b/users/views.py
@@ -26,6 +26,17 @@ def form_valid(self, form):
         if not redirect_uri:
             messages.error(self.request, 'redirect_uri is missing.')
             return super().form_invalid(form)
+        
+        code_challenge = self.request.GET.get('code_challenge')
+        if not code_challenge:
+            messages.error(self.request, 'code_challenge is missing.')
+            return super().form_invalid(form)
+
+        code_challenge_method = self.request.GET.get('code_challenge_method')
+        if not code_challenge_method:
+            messages.error(self.request, 'code_challenge_method is missing.')
+            return super().form_invalid(form)
+
 
         super().form_valid(form)
 
@@ -34,15 +45,17 @@ def form_valid(self, form):
             f"?client_id={client_id}"
             f"&response_type=code"
             f"&redirect_uri={redirect_uri}"
+            f"&code_challenge={code_challenge}"
+            f"&code_challenge_method={code_challenge_method}"
         )
         return redirect(authorization_url)
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        client_id = self.request.GET.get('client_id')
-        context['client_id'] = client_id
-        redirect_uri = self.request.GET.get('redirect_uri')
-        context['redirect_uri'] = redirect_uri
+        context['client_id'] = self.request.GET.get('client_id')
+        context['redirect_uri'] = self.request.GET.get('redirect_uri')
+        context['code_challenge'] = self.request.GET.get('code_challenge')
+        context['code_challenge_method'] = self.request.GET.get('code_challenge_method')
         return context
 
 
@@ -61,6 +74,16 @@ def form_valid(self, form):
         if not redirect_uri:
             messages.error(self.request, 'redirect_uri is missing.')
             return redirect('signup')
+        
+        code_challenge = self.request.GET.get('code_challenge')
+        if not code_challenge:
+            messages.error(self.request, 'code_challenge is missing.')
+            return super().form_invalid(form)
+
+        code_challenge_method = self.request.GET.get('code_challenge_method')
+        if not code_challenge_method:
+            messages.error(self.request, 'code_challenge_method is missing.')
+            return super().form_invalid(form)
 
         # Save the new user
         user = form.save()
@@ -73,6 +96,8 @@ def form_valid(self, form):
             f"?client_id={client_id}"
             f"&response_type=code"
             f"&redirect_uri={redirect_uri}"
+            f"&code_challenge={code_challenge}"
+            f"&code_challenge_method={code_challenge_method}"
         )
         return redirect(authorization_url)
 
@@ -82,10 +107,10 @@ def form_invalid(self, form):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        client_id = self.request.GET.get('client_id')
-        context['client_id'] = client_id
-        redirect_uri = self.request.GET.get('redirect_uri')
-        context['redirect_uri'] = redirect_uri
+        context['client_id'] = self.request.GET.get('client_id')
+        context['redirect_uri'] = self.request.GET.get('redirect_uri')
+        context['code_challenge'] = self.request.GET.get('code_challenge')
+        context['code_challenge_method'] = self.request.GET.get('code_challenge_method')
         return context
     
 # removes session from database