From c60ba91feefcb19c6fc2cb6c9bbb37cd5ba06ecc Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 23:59:43 +0200
Subject: [PATCH] core: fix auth saving entire models into session

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/auth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/authentik/core/auth.py b/authentik/core/auth.py
index 851177bec..63f95433b 100644
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@@ -6,6 +6,7 @@ from django.contrib.auth.backends import ModelBackend
 from django.http.request import HttpRequest
 
 from authentik.core.models import Token, TokenIntents, User
+from authentik.events.utils import cleanse_dict, sanitize_dict
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
@@ -31,7 +32,7 @@ class InbuiltBackend(ModelBackend):
         # and the token used, we assume we're running in a flow and set a variable in the context
         flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
         flow_plan.context[PLAN_CONTEXT_METHOD] = method
-        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = kwargs
+        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
         request.session[SESSION_KEY_PLAN] = flow_plan