🐛 [#1998] Check if path matches callback in OIDC backends

src/open_inwoner/accounts/backends.py

@@ -4,6 +4,7 @@
 from django.contrib.auth import get_user_model
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.hashers import check_password
+from django.urls import reverse_lazy
 
 from axes.backends import AxesBackend
 from mozilla_django_oidc_db.backends import OIDCAuthenticationBackend
@@ -70,6 +71,16 @@ def authenticate(self, request=None, *args, **kwargs):
 
 
 class CustomOIDCBackend(OIDCAuthenticationBackend):
+    callback_path = reverse_lazy("oidc_authentication_callback")
+
+    def authenticate(self, request, *args, **kwargs):
+        # Avoid attempting OIDC for a specific variant if we know that that is not the
+        # correct variant being attempted
+        if request and request.path != self.callback_path:
+            return
+
+        return super().authenticate(request, *args, **kwargs)
+
     def create_user(self, claims):
         """
         Return object for a newly created user account.

src/open_inwoner/accounts/tests/test_backends.py

@@ -0,0 +1,71 @@
+from unittest.mock import patch
+
+from django.contrib import auth
+from django.test import RequestFactory, TestCase, override_settings
+from django.urls import reverse
+
+from open_inwoner.accounts.tests.factories import UserFactory
+
+
+class OIDCBackendTestCase(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+
+        cls.user = UserFactory.create()
+
+    @override_settings(
+        AUTHENTICATION_BACKENDS=[
+            "open_inwoner.accounts.backends.CustomOIDCBackend",
+            "digid_eherkenning_oidc_generics.backends.OIDCAuthenticationEHerkenningBackend",
+            "digid_eherkenning_oidc_generics.backends.OIDCAuthenticationDigiDBackend",
+        ]
+    )
+    @patch(
+        "digid_eherkenning_oidc_generics.backends.OIDCAuthenticationDigiDBackend.authenticate"
+    )
+    @patch(
+        "open_inwoner.accounts.backends.OIDCAuthenticationBackend.authenticate",
+        side_effect=Exception,
+    )
+    def test_digid_oidc_use_correct_backend(
+        self, mock_authenticate, mock_digid_authenticate
+    ):
+        """
+        Both the regular OIDC and eHerkenning backend should check if the request path matches
+        their callback before trying to authenticate
+        """
+        mock_digid_authenticate.return_value = self.user
+
+        request = RequestFactory().get(reverse("digid_oidc:callback"))
+
+        result = auth.authenticate(request)
+
+        self.assertEqual(result, self.user)
+
+    @override_settings(
+        AUTHENTICATION_BACKENDS=[
+            "digid_eherkenning_oidc_generics.backends.OIDCAuthenticationDigiDBackend",
+            "digid_eherkenning_oidc_generics.backends.OIDCAuthenticationEHerkenningBackend",
+            "open_inwoner.accounts.backends.CustomOIDCBackend",
+        ]
+    )
+    @patch(
+        "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.authenticate",
+        side_effect=Exception,
+    )
+    @patch("open_inwoner.accounts.backends.CustomOIDCBackend.authenticate")
+    def test_admin_oidc_use_correct_backend(
+        self, mock_authenticate, mock_digid_eherkenning_authenticate
+    ):
+        """
+        Both the DigiD and eHerkenning backend should check if the request path matches
+        their callback before trying to authenticate
+        """
+        mock_authenticate.return_value = self.user
+
+        request = RequestFactory().get(reverse("oidc_authentication_callback"))
+
+        result = auth.authenticate(request)
+
+        self.assertEqual(result, self.user)