From 8d18fb43230c80b40c00732850b5631c4346d54a Mon Sep 17 00:00:00 2001
From: Raffael Meyer <14891507+barredterra@users.noreply.github.com>
Date: Wed, 29 Jul 2020 17:48:39 +0200
Subject: [PATCH] fix(oauth provider): parse cookies correctly (#11066)

---
 frappe/oauth.py | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/frappe/oauth.py b/frappe/oauth.py
index 4dc50366be..122c806072 100644
--- a/frappe/oauth.py
+++ b/frappe/oauth.py
@@ -4,6 +4,7 @@ import pytz
 
 from frappe import _
 from frappe.auth import LoginManager
+from http import cookies
 from oauthlib.oauth2.rfc6749.tokens import BearerToken
 from oauthlib.oauth2.rfc6749.grant_types import AuthorizationCodeGrant, ImplicitGrant, ResourceOwnerPasswordCredentialsGrant, ClientCredentialsGrant,  RefreshTokenGrant
 from oauthlib.oauth2 import RequestValidator
@@ -130,15 +131,12 @@ class OAuthWebRequestValidator(RequestValidator):
 		oac.scopes = get_url_delimiter().join(request.scopes)
 		oac.redirect_uri_bound_to_authorization_code = request.redirect_uri
 		oac.client = client_id
-		oac.user = unquote(cookie_dict['user_id'])
+		oac.user = unquote(cookie_dict['user_id'].value)
 		oac.authorization_code = code['code']
 		oac.save(ignore_permissions=True)
 		frappe.db.commit()
 
 	def authenticate_client(self, request, *args, **kwargs):
-
-		cookie_dict = get_cookie_dict_from_headers(request)
-
 		#Get ClientID in URL
 		if request.client_id:
 			oc = frappe.get_doc("OAuth Client", request.client_id)
@@ -155,7 +153,9 @@ class OAuthWebRequestValidator(RequestValidator):
 		except Exception as e:
 			print("Failed body authentication: Application %s does not exist".format(cid=request.client_id))
 
-		return frappe.session.user == unquote(cookie_dict.get('user_id', "Guest"))
+		cookie_dict = get_cookie_dict_from_headers(request)
+		user_id = unquote(cookie_dict['user_id']) if 'user_id' in cookie_dict else "Guest"
+		return frappe.session.user == user_id
 
 	def authenticate_client_id(self, client_id, request, *args, **kwargs):
 		cli_id = frappe.db.get_value('OAuth Client', client_id, 'name')
@@ -400,13 +400,10 @@ class OAuthWebRequestValidator(RequestValidator):
 		return True
 
 def get_cookie_dict_from_headers(r):
+	cookie = cookies.BaseCookie()
 	if r.headers.get('Cookie'):
-		cookie = r.headers.get('Cookie')
-		cookie = cookie.split("; ")
-		cookie_dict = {k:v for k,v in (x.split('=') for x in cookie)}
-		return cookie_dict
-	else:
-		return {}
+		cookie.load(r.headers.get('Cookie'))
+	return cookie
 
 def calculate_at_hash(access_token, hash_alg):
 	"""Helper method for calculating an access token