Skip to content

angee.integrate.oauth.state

Single-use redirect state records stored in Django's cache.

Shared by every browser redirect flow: account-connect (OAuth) and login/link (OIDC). State is keyed on the OAuthClient the picker selected; the OIDC layer loads that client's oidc refinement when completing a login.

StateFlow

python
class StateFlow(StrEnum)

Which redirect mutation may consume one state token.

A token minted for a login must not complete a link/connect (and vice versa); the completion path fails closed when the flow does not match, so a leaked state cannot be replayed across flows.

StateRecord

python
@dataclass(frozen=True, slots=True)
class StateRecord()

Cached data needed to complete one OAuth/OIDC redirect.

issue

python
def issue(oauth_client: object,
          redirect_uri: str,
          *,
          user_id: str | None = None,
          next_path: str = "",
          flow: StateFlow = StateFlow.LOGIN,
          integration_id: str = "") -> tuple[str, StateRecord]

Create and cache one single-use redirect state record.

consume

python
def consume(state_token: str) -> StateRecord

Return and remove one cached state record.

Released under the AGPL-3.0 License.