redirect to ?error=invalid_client_id|http_not_allowed|unknown_redirect_uri instead of return 400

2019-11-12 13:58:17 +01:00 · 2019-11-12 13:58:17 +01:00 · c66f424c51
parent 61a3844ec4
commit c66f424c51
2 changed files with 76 additions and 4 deletions
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@ -66,17 +66,23 @@ def authorize():

    client = Client.get_by(oauth_client_id=oauth_client_id)
    if not client:
-        return f"no such client with oauth-client-id {oauth_client_id}", 400
+        final_redirect_uri = (
+            f"{redirect_uri}?error=invalid_client_id&client_id={oauth_client_id}"
+        )
+        return redirect(final_redirect_uri)

    # check if redirect_uri is valid
    # allow localhost by default
    hostname, scheme = get_host_name_and_scheme(redirect_uri)
    if hostname != "localhost" and hostname != "127.0.0.1":
-        if scheme != "https":
-            return "Only https is supported", 400
+        # support custom scheme for mobile app
+        if scheme == "http":
+            final_redirect_uri = f"{redirect_uri}?error=http_not_allowed"
+            return redirect(final_redirect_uri)

        if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
-            return f"{redirect_uri} is not authorized", 400
+            final_redirect_uri = f"{redirect_uri}?error=unknown_redirect_uri"
+            return redirect(final_redirect_uri)

    # redirect from client website
    if request.method == "GET":
--- a/tests/oauth/test_authorize.py
+++ b/tests/oauth/test_authorize.py
@ -616,3 +616,69 @@ def test_authorize_code_id_token_flow(flask_client):

    # id_token must be a valid, correctly signed JWT
    assert verify_id_token(r.json["id_token"])
+
+
+def test_authorize_page_invalid_client_id(flask_client):
+    """make sure to redirect user to redirect_url?error=invalid_client_id"""
+    user = login(flask_client)
+    client = Client.create_new("test client", user.id)
+
+    db.session.commit()
+
+    r = flask_client.get(
+        url_for(
+            "oauth.authorize",
+            client_id="invalid_client_id",
+            state="teststate",
+            redirect_uri="http://localhost",
+            response_type="code",
+        )
+    )
+
+    assert r.status_code == 302
+    assert (
+        r.location
+        == "http://localhost?error=invalid_client_id&client_id=invalid_client_id"
+    )
+
+
+def test_authorize_page_http_not_allowed(flask_client):
+    """make sure to redirect user to redirect_url?error=http_not_allowed"""
+    user = login(flask_client)
+    client = Client.create_new("test client", user.id)
+
+    db.session.commit()
+
+    r = flask_client.get(
+        url_for(
+            "oauth.authorize",
+            client_id=client.oauth_client_id,
+            state="teststate",
+            redirect_uri="http://mywebsite.com",
+            response_type="code",
+        )
+    )
+
+    assert r.status_code == 302
+    assert r.location == "http://mywebsite.com?error=http_not_allowed"
+
+
+def test_authorize_page_unknown_redirect_uri(flask_client):
+    """make sure to redirect user to redirect_url?error=unknown_redirect_uri"""
+    user = login(flask_client)
+    client = Client.create_new("test client", user.id)
+
+    db.session.commit()
+
+    r = flask_client.get(
+        url_for(
+            "oauth.authorize",
+            client_id=client.oauth_client_id,
+            state="teststate",
+            redirect_uri="https://unknown.com",
+            response_type="code",
+        )
+    )
+
+    assert r.status_code == 302
+    assert r.location == "https://unknown.com?error=unknown_redirect_uri"