Use Django's messages framework to only show the client secret once

blag · blag · commit f65b59a741c0 · 2024-09-24T02:23:24.000-07:00
diff --git a/docs/getting_started.rst b/docs/getting_started.rst
@@ -245,9 +245,9 @@ Start the development server::
 
 Point your browser to http://127.0.0.1:8000/o/applications/register/ lets create an application.
 
-Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret``, we will use it in a minute.
+Fill the form as show in the screenshot below and after saving take note of the ``client secret`` (possibly shown in the flash message) and the ``client ID``, we will use them both in a minute.
 
-If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's with ``HS256``.
+If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. Unchecking that means your client secret will be stored on the server in cleartext but is the only way to successfully use signed JWT's with ``HS256``.
 
 .. note::
     ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
diff --git a/docs/install.rst b/docs/install.rst
@@ -5,7 +5,7 @@ Install with pip::
 
     pip install django-oauth-toolkit
 
-Add ``oauth2_provider`` to your ``INSTALLED_APPS``
+Enable and configure Django's messages framework, and add ``oauth2_provider`` to your ``INSTALLED_APPS``
 
 .. code-block:: python
 
diff --git a/oauth2_provider/templates/oauth2_provider/application_detail.html b/oauth2_provider/templates/oauth2_provider/application_detail.html
@@ -5,6 +5,17 @@
     <div class="block-center">
         <h3 class="block-center-heading">{{ application.name }}</h3>
 
+        {% if messages %}
+        <ul class="messages">
+            {% for message in messages %}
+            <li{% if message.tags %} class="{{ message.tags }}"{% endif %}>
+                {% if message.level == DEFAULT_MESSAGE_LEVELS.ERROR %}Important: {% endif %}
+                {{ message }}
+            </li>
+            {% endfor %}
+        </ul>
+        {% endif %}
+
         <ul class="unstyled">
             <li>
                 <p><b>{% trans "Client ID" %}</b></p>
@@ -15,9 +26,6 @@ <h3 class="block-center-heading">{{ application.name }}</h3>
             <li>
                 <p><b>{% trans "Client secret" %}</b></p>
                 <p>{{ client_secret }}</p>
-                {% if show_client_secret_once %}
-                <p class="error">{% translate "This will only be displayed once - copy it now!" %}</p>
-                {% endif %}
             </li>
             {% endif %}
 
diff --git a/oauth2_provider/views/application.py b/oauth2_provider/views/application.py
@@ -1,6 +1,9 @@
+from django.contrib import messages
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.forms.models import modelform_factory
 from django.urls import reverse_lazy
+from django.utils.safestring import mark_safe
+from django.utils.translation import gettext as _
 from django.views.generic import CreateView, DeleteView, DetailView, ListView, UpdateView
 
 from ..models import get_application_model
@@ -22,9 +25,7 @@ class ApplicationRegistration(LoginRequiredMixin, CreateView):
     View used to register a new Application for the request.user
     """
 
-    context_object_name = "application"
     template_name = "oauth2_provider/application_registration_form.html"
-    success_template_name = "oauth2_provider/application_detail.html"
 
     def get_form_class(self):
         """
@@ -46,22 +47,23 @@ def get_form_class(self):
 
     def form_valid(self, form):
         form.instance.user = self.request.user
-        if not form.cleaned_data["hash_client_secret"]:
-            return super().form_valid(form)
-
-        client_secret = form.instance.client_secret
-        self.object = form.save()
-        return self.response_class(
-            request=self.request,
-            template=self.success_template_name,
-            context=self.get_context_data(
-                client_secret=client_secret,
-                show_client_secret_once=self.object.hash_client_secret,
-                **{self.context_object_name: self.object},
-            ),
-            using=self.template_engine,
-            content_type=self.content_type,
-        )
+        # If we are hashing the client secret, display the cleartext value in a flash message with
+        # Django's messages framework
+        if form.cleaned_data["hash_client_secret"]:
+            messages.add_message(
+                self.request,
+                messages.SUCCESS,
+                # Since the client_secret is not user-supplied, we can manually mark this entire
+                # string as safe so Django doesn't re-encode the HTML markup
+                mark_safe(
+                    _(
+                        "The application client secret is:<br /><code>%s</code><br />"
+                        "This will only be shown once, so copy it now!"
+                    )
+                    % form.instance.client_secret
+                ),
+            )
+        return super().form_valid(form)
 
 
 class ApplicationDetail(ApplicationOwnerIsUserMixin, DetailView):
