Fix auth_sign_path with query params (#73240)

Co-authored-by: J. Nick Koston <nick@koston.org>
2022-06-21 15:21:47 -04:00 · 2022-06-21 15:21:47 -04:00 · 67618311fa
commit 67618311fa
parent adf0f62963
2 changed files with 92 additions and 3 deletions
--- a/homeassistant/components/http/auth.py
+++ b/homeassistant/components/http/auth.py
@ -7,11 +7,11 @@ from ipaddress import ip_address
 import logging
 import secrets
 from typing import Final
-from urllib.parse import unquote

 from aiohttp import hdrs
 from aiohttp.web import Application, Request, StreamResponse, middleware
 import jwt
+from yarl import URL

 from homeassistant.auth.const import GROUP_ID_READ_ONLY
 from homeassistant.auth.models import User
@ -57,18 +57,24 @@ def async_sign_path(
        else:
            refresh_token_id = hass.data[STORAGE_KEY]

+    url = URL(path)
    now = dt_util.utcnow()
+    params = dict(sorted(url.query.items()))
    encoded = jwt.encode(
        {
            "iss": refresh_token_id,
-            "path": unquote(path),
+            "path": url.path,
+            "params": params,
            "iat": now,
            "exp": now + expiration,
        },
        secret,
        algorithm="HS256",
    )
-    return f"{path}?{SIGN_QUERY_PARAM}={encoded}"
+
+    params[SIGN_QUERY_PARAM] = encoded
+    url = url.with_query(params)
+    return f"{url.path}?{url.query_string}"


@callback
@ -176,6 +182,11 @@ async def async_setup_auth(hass: HomeAssistant, app: Application) -> None:
        if claims["path"] != request.path:
            return False

+        params = dict(sorted(request.query.items()))
+        del params[SIGN_QUERY_PARAM]
+        if claims["params"] != params:
+            return False
+
        refresh_token = await hass.auth.async_get_refresh_token(claims["iss"])

        if refresh_token is None: