fix: enforce SSL certificate verification in OAuth provider, replace hardcoded CERT_NONE#3431
fix: enforce SSL certificate verification in OAuth provider, replace hardcoded CERT_NONE#3431Aryanbansal-05 wants to merge 1 commit into
Conversation
…hardcoded CERT_NONE
|
@Aryanbansal-05 is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔐 Summary
Resolves #3425 by removing hardcoded
ssl.CERT_NONEandcheck_hostname = Falsefrom the OAuth provider, replacing them with a secure SSL context that enforces full certificate verification in production.🛠️ Changes Made
backend/auth/oauth_provider.pyBefore:
exchange_code_for_tokens()andget_user_profile()created SSL contexts with:ctx.check_hostname = Falsectx.verify_mode = ssl.CERT_NONEAfter:
_create_ssl_context()helper used by both functionscheck_hostname = True,verify_mode = ssl.CERT_REQUIREDOAUTH_DISABLE_SSL_VERIFY=1env var (logs a warning, never silent)print()statements withlogging.getLogger()for proper log level control.env.exampleOAUTH_DISABLE_SSL_VERIFY=0with clear warning it must never be1in production✅ Security Issues Fixed
Closes #3425