Commits

Roman Barczyński committed 1959bd2

if request is not secure allow only encrypted association sessions; fixes #3

Comments (0)

Files changed (1)

openid_provider/views.py

 
 from django.contrib.auth import REDIRECT_FIELD_NAME
 
+from openid.association import default_negotiator, encrypted_negotiator
 from openid.consumer.discover import OPENID_IDP_2_0_TYPE, OPENID_2_0_TYPE
 from openid.extensions import sreg, ax
 from openid.fetchers import HTTPFetchingError
     server = Server(get_store(request),
         op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
 
+    if not request.is_secure():
+        # if request is not secure allow only encrypted association sessions (fixes #3)
+        server.negotiator = encrypted_negotiator
+
     # Clear AuthorizationInfo session var, if it is set
     if request.session.get('AuthorizationInfo', None):
         del request.session['AuthorizationInfo']