Fix FB logins (#129)

mapseed · May 12, 2018 · 192617e · 192617e
1 parent 88ca139
commit 192617e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/src/project/settings.py b/src/project/settings.py
@@ -211,7 +211,8 @@
     # See http://django-social-auth.readthedocs.org/en/latest/configuration.html
     # for list of available backends.
     'social.backends.twitter.TwitterOAuth',
-    'social.backends.facebook.FacebookOAuth2',
+    #'social.backends.facebook.FacebookOAuth2',
+    'sa_api_v2.auth_backends.NoRedirectStateFacebookOAuth2',
     'social.backends.google.GoogleOAuth2',
     'sa_api_v2.auth_backends.CachedModelBackend',
 )

diff --git a/src/sa_api_v2/auth_backends.py b/src/sa_api_v2/auth_backends.py
@@ -1,5 +1,6 @@
 from django.contrib.auth.backends import ModelBackend
 from .cache import UserCache
+from social.backends.facebook import FacebookOAuth2
 
 class CachedModelBackend (ModelBackend):
     def get_user(self, user_id):
@@ -8,3 +9,11 @@ def get_user(self, user_id):
             user = super(CachedModelBackend, self).get_user(user_id)
             UserCache.set_instance(user, user_id=user_id)
         return user
+
+# This custom backend prevents the dynamic redirect_state query param from
+# being sent with FB OAuth requests. redirect_state interferes with upgraded
+# FB security requirements.
+# https://stackoverflow.com/questions/45307723/valid-oauth-redirect-uris-for-facebook-django-social-auth
+# https://developers.facebook.com/docs/facebook-login/security/#surfacearea
+class NoRedirectStateFacebookOAuth2(FacebookOAuth2):
+    REDIRECT_STATE = False