From 01e19485ebb2a5da0f6e025f84afe7f3d7e5c166 Mon Sep 17 00:00:00 2001
From: Son NK <son@imac-de-son.home>
Date: Tue, 23 Jul 2019 19:40:56 +0200
Subject: [PATCH] apart from localhost, allow only https

---
 app/oauth/views/authorize.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/oauth/views/authorize.py b/app/oauth/views/authorize.py
index 366b46fb..3c0b7fd3 100644
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@@ -55,9 +55,11 @@ def authorize():
 
     # check if redirect_uri is valid
     # allow localhost by default
-    # todo: only allow https
     hostname, scheme = get_host_name_and_scheme(redirect_uri)
     if hostname != "localhost":
+        if scheme != "https":
+            return "Only https is supported", 400
+
         if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
             return f"{redirect_uri} is not authorized", 400