No Cookie Header in Square OAuth Callback
Below is the outline of a python Lambda Handler for the Square authorization callback.
This is the callback endpoint added as the OAuth Redirect URL of the Square application.
The Square Hosted UI sends the authorization code to this lambda and it is responsible for the
token exchange and storing the access / refresh tokens in a back end DB.
the request to the lambda does NOT appear to contain a Cookie header.
Am I looking for the wrong thing? In the wrong way?
Request: {‘version’: ‘2.0’, ‘routeKey’: ‘ANY /square_oauth’, ‘rawPath’: ‘/Leedz_Stage_1/square_oauth’, ‘rawQueryString’: ‘code=sandbox-sq0cgb-BIzgndt7_AjMxfAvIDF6NA&response_type=code&state=60b141cc-a519-4643-95eb-a9289f85faaa’, ‘headers’: {‘accept’: ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7’, ‘accept-encoding’: ‘gzip, deflate, br’, ‘accept-language’: ‘en-US,en;q=0.9’, ‘content-length’: ‘0’, ‘host’: ‘something.execute-api.us-west-2.amazonaws.com’, ‘referer’: ‘https://www.theleedz.com/’, ‘sec-ch-ua’: ‘“Not_A Brand”;v=“8”, “Chromium”;v=“120”, “Google Chrome”;v=“120”’, ‘sec-ch-ua-mobile’: ‘?0’, ‘sec-ch-ua-platform’: ‘“Windows”’, ‘sec-fetch-dest’: ‘document’, ‘sec-fetch-mode’: ‘navigate’, ‘sec-fetch-site’: ‘cross-site’, ‘sec-fetch-user’: ‘?1’, ‘upgrade-insecure-requests’: ‘1’, ‘user-agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36’, ‘x-amzn-trace-id’: ‘Root=1-the_route_key’, ‘x-forwarded-for’: ‘104.173.202.58’, ‘x-forwarded-port’: ‘443’, ‘x-forwarded-proto’: ‘https’}, ‘queryStringParameters’: {‘code’: ‘sandbox-sq0cgb-BIzgndt7_AjMxfAvIDF6NA’, ‘response_type’: ‘code’, ‘state’: ‘60b141cc-a519-4643-95eb-a9289f85faaa’}, ‘requestContext’: {‘accountId’: ‘the_account_ID’, ‘apiId’: ‘the_app_ID’, ‘domainName’: ‘something.execute-api.us-west-2.amazonaws.com’, ‘domainPrefix’: ‘something’, ‘http’: {‘method’: ‘GET’, ‘path’: ‘/Leedz_Stage_1/square_oauth’, ‘protocol’: ‘HTTP/1.1’, ‘sourceIp’: ‘the.source.IP’, ‘userAgent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36’}, ‘requestId’: ‘Rap9jjxjPHcEPxQ=’, ‘routeKey’: ‘ANY /square_oauth’, ‘stage’: ‘Leedz_Stage_1’, ‘time’: ‘12/Jan/2024:07:55:02 +0000’, ‘timeEpoch’: 1705046102458}, ‘isBase64Encoded’: False}
def lambda_handler(event, context):
# get state parameter
# generated in authorization link sent during sign-up
# COOKIE
#
# 1/9 not getting the cookie at all
# will throw exception
# checkForCookie(event, state, FALSE)
# RESPONSE TYPE
# look for 'code' indicating refresh/access token
if (response_type == 'code'):
doTokenExchange(table, event, the_user)
handle_success()
def checkForCookie( event, state ) :
cookie_state = ''
cookie = validateHeader(event, 'cookie', 1)
if cookie:
c = cookies.SimpleCookie(cookie)
cookie_state = c['OAuthState'].value
# ERROR
# cookie state fron web client either NULL or doesn't match param state
if (not cookie_state) or (state != cookie_state):
raise ValueError("Authorization failed: invalid auth state")
else:
logger.error("NO COOKIE RECEIVED")
def validateHeader( event, header, required ):
value = ""
if ('headers' not in event):
if (required):
raise ValueError("Http Request error. No headers found")
else:
return value
if (header not in event['headers']):
if required:
raise ValueError("HTTP Request error. No '" + header + "' header")
else:
value = event['headers'][header]
return value