2023-06-12 09:38:12 +02:00
3 changed files with 10 additions and 2 deletions
--- a/combo/apps/wcs/views.py
+++ b/combo/apps/wcs/views.py
@ -147,5 +147,5 @@ def redirect_crypto_url(request, session_key, crypto_url):
    if '?' not in real_url:
        real_url += '?'
    real_url += '&orig=%s' % service['orig']
-    redirect_url = sign_url(real_url, service['secret'])
+    redirect_url = sign_url(real_url, service['secret'], nonce=False)
    return HttpResponseRedirect(redirect_url)
--- a/combo/utils/signature.py
+++ b/combo/utils/signature.py
@ -43,7 +43,10 @@ def sign_query(query, key, algo='sha256', timestamp=None, nonce=None):
    new_query = query
    if new_query:
        new_query += '&'
-    new_query += urlencode((('algo', algo), ('timestamp', timestamp), ('nonce', nonce)))
+    params = [('algo', algo), ('timestamp', timestamp)]
+    if nonce:
+        params.append(('nonce', nonce))
+    new_query += urlencode(params)
    signature = base64.b64encode(sign_string(new_query, key, algo=algo))
    new_query += '&signature=' + quote(signature)
    return new_query
--- a/tests/test_cells.py
+++ b/tests/test_cells.py
@ -3,6 +3,7 @@ import json
 import logging
 import os
 import re
+import urllib.parse
 from unittest import mock

 import pytest
@ -733,6 +734,10 @@ def test_json_cell_make_public_url(app):
        resp = app.get(url)
        assert '/api/wcs/file/' in resp.text
        assert 'http://127.0.0.1:8999' not in resp.text
+        resp = app.get(resp.text)
+        qs = urllib.parse.parse_qs(urllib.parse.urlparse(resp.location).query)
+        assert 'signature' in qs
+        assert 'nonce' not in qs

    # url from unknown service
    cell.template_string = '{% make_public_url url="https://example.net" %}'