From 3775c8eace246fdeb720496aa595c06886b1cff6 Mon Sep 17 00:00:00 2001
From: tuxcoder <tuxcoder+git@o-g.at>
Date: Sun, 17 Dec 2023 17:10:41 +0100
Subject: [PATCH] parse uuid before usage

---
 lenticular_cloud/views/auth.py   | 6 ++++--
 lenticular_cloud/views/oauth2.py | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lenticular_cloud/views/auth.py b/lenticular_cloud/views/auth.py
index 308f910..5d4f2e7 100644
--- a/lenticular_cloud/views/auth.py
+++ b/lenticular_cloud/views/auth.py
@@ -21,7 +21,7 @@ from ory_hydra_client.api.o_auth_2 import get_o_auth_2_consent_request, accept_o
 from ory_hydra_client import models as ory_hydra_m
 from ory_hydra_client.models import TheRequestPayloadUsedToAcceptALoginOrConsentRequest, TheRequestPayloadUsedToAcceptAConsentRequest, GenericError
 from typing import Optional
-from uuid import uuid4
+from uuid import uuid4, UUID
 
 from ..model import db, User, SecurityUser
 from ..form.auth import ConsentForm, LoginForm, RegistrationForm
@@ -54,7 +54,9 @@ async def consent() -> ResponseReturnValue:
     requested_audiences = consent_request.requested_access_token_audience
 
     if form.validate_on_submit() or consent_request.skip:
-        user = User.query.get(consent_request.subject) # type: Optional[User]
+
+        uid = UUID(consent_request.subject)
+        user = User.query.get(uid)
         if user is None:
             return 'internal error', 500
         access_token = {
diff --git a/lenticular_cloud/views/oauth2.py b/lenticular_cloud/views/oauth2.py
index 457438b..c1320bb 100644
--- a/lenticular_cloud/views/oauth2.py
+++ b/lenticular_cloud/views/oauth2.py
@@ -7,6 +7,7 @@ from flask_login import LoginManager
 from typing import Optional
 from werkzeug.wrappers.response import Response as WerkzeugResponse
 import logging
+from uuid import UUID
 
 from ..model import User, SecurityUser
 from ..hydra import hydra_service
@@ -46,7 +47,7 @@ def authorized() -> ResponseReturnValue:
         return 'bad request', 400
     session['token'] = token
     userinfo = oauth2.custom.get('/userinfo').json()
-    user = User.query.get(str(userinfo["sub"])) # type: Optional[User]
+    user = User.query.get(UUID(userinfo["sub"])) # type: Optional[User]
     if user is None:
         return "user not found", 404
     logger.info(f"user `{user.username}` successfully logged in")