fix(oauth2): Handle SESSION_COOKIE_SAMESITE = 'Strict'

Author: pennersr

ChangeLog.rst

@@ -34,6 +34,9 @@ Note worthy changes
 - Added a new setting, ``SOCIALACCOUNT_ONLY``, which when set to ``True``,
   disables all functionality with respect to local accounts.
 
+- The OAuth2 handshake was not working properly in case of
+  ``SESSION_COOKIE_SAMESITE = "Strict"``, fixed.
+
 
 0.61.1 (2024-02-09)
 *******************

allauth/socialaccount/providers/oauth2/tests/__init__.py

@@ -0,0 +1,36 @@
+from django.urls import reverse
+
+import pytest
+from pytest_django.asserts import assertTemplateUsed
+
+
+@pytest.mark.parametrize(
+    "samesite_strict,did_already_redirect,expect_redirect",
+    [
+        (True, False, True),
+        (True, True, False),
+        (False, False, False),
+    ],
+)
+def test_samesite_strict(
+    client,
+    samesite_strict,
+    settings,
+    google_provier_settings,
+    did_already_redirect,
+    expect_redirect,
+    db,
+):
+    settings.SESSION_COOKIE_SAMESITE = "Strict" if samesite_strict else "Lax"
+    query = "?state=123"
+    resp = client.get(
+        reverse("google_callback") + query + ("&_redir" if did_already_redirect else "")
+    )
+    if expect_redirect:
+        assertTemplateUsed(resp, "socialaccount/login_redirect.html")
+        assert (
+            resp.context["redirect_to"]
+            == reverse("google_callback") + query + "&_redir="
+        )
+    else:
+        assertTemplateUsed(resp, "socialaccount/authentication_error.html")

allauth/socialaccount/providers/oauth2/tests/test_views.py

@@ -1,11 +1,15 @@
 from datetime import timedelta
 from requests import RequestException
 
+from django.conf import settings
 from django.core.exceptions import PermissionDenied
+from django.shortcuts import render
 from django.urls import reverse
 from django.utils import timezone
 
+from allauth.account import app_settings as account_settings
 from allauth.core.exceptions import ImmediateHttpResponse
+from allauth.core.internal.httpkit import add_query_params
 from allauth.socialaccount.adapter import get_adapter
 from allauth.socialaccount.helpers import (
     complete_social_login,
@@ -156,6 +160,24 @@ def dispatch(self, request, *args, **kwargs):
                 request, provider, exception=e, extra_context={"state": state}
             )
 
+    def _redirect_strict_samesite(self, request, provider):
+        if (
+            "_redir" in request.GET
+            or settings.SESSION_COOKIE_SAMESITE.lower() != "strict"
+            or request.method != "GET"
+        ):
+            return
+        redirect_to = request.get_full_path()
+        redirect_to = add_query_params(redirect_to, {"_redir": ""})
+        return render(
+            request,
+            "socialaccount/login_redirect." + account_settings.TEMPLATE_EXTENSION,
+            {
+                "provider": provider,
+                "redirect_to": redirect_to,
+            },
+        )
+
     def _get_state(self, request, provider):
         state = None
         state_id = get_request_param(request, "state")
@@ -165,6 +187,11 @@ def _get_state(self, request, provider):
         else:
             state = statekit.unstash_last_state(request)
         if state is None:
+            resp = self._redirect_strict_samesite(request, provider)
+            if resp:
+                # 'Strict' is in effect, let's try a redirect and then another
+                # shot at finding our state...
+                return None, resp
             return None, render_authentication_error(
                 request,
                 provider,

allauth/socialaccount/providers/oauth2/views.py

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+    {% load i18n %}
+    <head>
+        <title>{% translate "Sign In" %} | {{ provider }}</title>
+        <meta http-equiv="refresh" content="0;URL='{{ redirect_to }}'" />
+    </head>
+    <body>
+        <p>
+            <a href="{{ redirect_to }}">{% translate "Continue" %}</a>
+        </p>
+    </body>
+</html>