Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: create a new pipeline step that validates the national id base … #233

Merged
merged 2 commits into from
Nov 18, 2024
Merged

feat: create a new pipeline step that validates the national id base … #233

merged 2 commits into from
Nov 18, 2024

Conversation

andrey-canon
Copy link
Collaborator

@andrey-canon andrey-canon commented Nov 14, 2024
edited
Loading

Description

This pull request introduces the validate_national_id_and_associate_user pipeline method, designed to improve user association logic in SAML authentication flows. This method verifies that a user's UID from the identity provider ends with their registered national ID. If a match is found, it securely associates the user without altering their session. If there is no match, or if the national ID is absent, the method triggers a logout and redirects the user to the registration page, ensuring only properly identified users are associated.

Key improvements include:

  1. Ensuring accurate user associations by verifying the UID-national ID suffix match.
  2. Automatically handling sessions by logging out mismatched users to enhance security.
  3. Streamlining user onboarding with an immediate redirect to the registration page if the national ID is not present.

Testing instructions

This requires the following settings

REGISTRATION_EXTENSION_FORM_FIELDS_TPA_OVERRIDES = ["arabic_name", "national_id"]
REGISTRATION_EXTRA_FIELDS = {
    ...
    "national_id": "required",
    ...
}

Replace "social_core.pipeline.social_auth.associate_user" with "eox_nelp.third_party_auth.pipeline.validate_national_id_and_associate_user", in SOCIAL_AUTH_TPA_SAML_PIPELINE

image
image

Finally register a new user with SAML

johanseto
johanseto reviewed Nov 15, 2024
View reviewed changes
eox_nelp/third_party_auth/pipeline.py

logout(request)

return redirect("/register")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a redirect. Do you think this pipe would have @partial decorator? To continue the process in this step pipe???
https://python-social-auth.readthedocs.io/en/latest/pipeline.html#partial-pipeline

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That decorator doesn't fit in this context at all, when I was developing this pipe I included this backend.strategy.clean_partial_pipeline(partial_token) to restart the current partial then I realized that is not necessary because logout(request) performs that operation, basically this pipe aims to restart the whole pipeline when the national id condition is not valid in order to start a new process so doesn't make sense to start a new process from this step

johanseto
johanseto reviewed Nov 18, 2024
View reviewed changes
eox_nelp/third_party_auth/pipeline.py

if national_id and uid.endswith(national_id):
return associate_user(backend, uid, user, social, *args, **kwargs)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a log here to know that this pipeline is working blocking incorrect associate users...
eg like this log
image

@andrey-canon andrey-canon force-pushed the and/create_validate_associate_pipeline branch from 738ebf0 to bdbedd2 Compare November 18, 2024 17:28
@andrey-canon andrey-canon merged commit e214a56 into master Nov 18, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanseto johanseto johanseto approved these changes

Assignees
No one assigned
Labels
size/s test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrey-canon @johanseto