From d1c5ff4019f2a3d67a9bb7ba7309957ee61d8deb Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Wed, 22 Jun 2016 12:46:18 +0200
Subject: [PATCH] Use session to transmist username/ticket from fedeare view to
 login view

Hence, these parameter are not recorder in the user history, and thus
the user username do not apear anymore in the history. This respect more the
user privacy.
---
 cas_server/federate.py |  1 -
 cas_server/views.py    | 22 +++++++++++++++++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/cas_server/federate.py b/cas_server/federate.py
index 682f35b..64fa96b 100644
--- a/cas_server/federate.py
+++ b/cas_server/federate.py
@@ -29,7 +29,6 @@ class CASFederateValidateUser(object):
                 service_url=service_url,
                 version=version,
                 server_url=server_url,
-                extra_login_params={"provider": provider},
                 renew=False,
             )
 
diff --git a/cas_server/views.py b/cas_server/views.py
index 0c2dc73..eb0f2d3 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -215,8 +215,9 @@ class FederateAuth(View):
         else:
             ticket = request.GET['ticket']
             if auth.verify_ticket(ticket):
-                params = utils.copy_params(request.GET)
-                params['username'] = "%s@%s" % (auth.username, auth.provider)
+                params = utils.copy_params(request.GET, ignore={"ticket"})
+                request.session["federate_username"] = "%s@%s" % (auth.username, auth.provider)
+                request.session["federate_ticket"] = ticket
                 url = utils.reverse_params("cas_server:login", params)
                 return HttpResponseRedirect(url)
             else:
@@ -242,6 +243,10 @@ class LoginView(View, LogoutMixin):
     renewed = False
     warned = False
 
+    if settings.CAS_FEDERATE:
+        username = None
+        ticket = None
+
     INVALID_LOGIN_TICKET = 1
     USER_LOGIN_OK = 2
     USER_LOGIN_FAILURE = 3
@@ -307,7 +312,10 @@ class LoginView(View, LogoutMixin):
                 )
                 self.user.save()
         elif ret == self.USER_LOGIN_FAILURE:  # bad user login
-            self.ticket = None
+            if settings.CAS_FEDERATE:
+                self.ticket = None
+                self.usernalme = None
+                self.init_form()
             self.logout()
         elif ret == self.USER_ALREADY_LOGGED:
             pass
@@ -353,8 +361,12 @@ class LoginView(View, LogoutMixin):
         self.ajax = 'HTTP_X_AJAX' in request.META
         self.warn = request.GET.get('warn')
         if settings.CAS_FEDERATE:
-            self.username = request.GET.get('username')
-            self.ticket = request.GET.get('ticket')
+            self.username = request.session.get("federate_username")
+            self.ticket = request.session.get("federate_ticket")
+            if self.username:
+                del request.session["federate_username"]
+            if self.ticket:
+                del request.session["federate_ticket"]
 
     def get(self, request, *args, **kwargs):
         """methode called on GET request on this view"""