From c66f424c51d5640b7667a25b034309e075f6c825 Mon Sep 17 00:00:00 2001
From: Son NK <nguyenkims@hotmail.com>
Date: Tue, 12 Nov 2019 13:58:17 +0100
Subject: [PATCH] redirect to
 ?error=invalid_client_id|http_not_allowed|unknown_redirect_uri instead of
 return 400

---
 app/oauth/views/authorize.py  | 14 +++++---
 tests/oauth/test_authorize.py | 66 +++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 4 deletions(-)

diff --git a/app/oauth/views/authorize.py b/app/oauth/views/authorize.py
index 7fa4a168..d983b785 100644
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@@ -66,17 +66,23 @@ def authorize():
 
     client = Client.get_by(oauth_client_id=oauth_client_id)
     if not client:
-        return f"no such client with oauth-client-id {oauth_client_id}", 400
+        final_redirect_uri = (
+            f"{redirect_uri}?error=invalid_client_id&client_id={oauth_client_id}"
+        )
+        return redirect(final_redirect_uri)
 
     # check if redirect_uri is valid
     # allow localhost by default
     hostname, scheme = get_host_name_and_scheme(redirect_uri)
     if hostname != "localhost" and hostname != "127.0.0.1":
-        if scheme != "https":
-            return "Only https is supported", 400
+        # support custom scheme for mobile app
+        if scheme == "http":
+            final_redirect_uri = f"{redirect_uri}?error=http_not_allowed"
+            return redirect(final_redirect_uri)
 
         if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
-            return f"{redirect_uri} is not authorized", 400
+            final_redirect_uri = f"{redirect_uri}?error=unknown_redirect_uri"
+            return redirect(final_redirect_uri)
 
     # redirect from client website
     if request.method == "GET":
diff --git a/tests/oauth/test_authorize.py b/tests/oauth/test_authorize.py
index 45f77f2a..3620cade 100644
--- a/tests/oauth/test_authorize.py
+++ b/tests/oauth/test_authorize.py
@@ -616,3 +616,69 @@ def test_authorize_code_id_token_flow(flask_client):
 
     # id_token must be a valid, correctly signed JWT
     assert verify_id_token(r.json["id_token"])
+
+
+def test_authorize_page_invalid_client_id(flask_client):
+    """make sure to redirect user to redirect_url?error=invalid_client_id"""
+    user = login(flask_client)
+    client = Client.create_new("test client", user.id)
+
+    db.session.commit()
+
+    r = flask_client.get(
+        url_for(
+            "oauth.authorize",
+            client_id="invalid_client_id",
+            state="teststate",
+            redirect_uri="http://localhost",
+            response_type="code",
+        )
+    )
+
+    assert r.status_code == 302
+    assert (
+        r.location
+        == "http://localhost?error=invalid_client_id&client_id=invalid_client_id"
+    )
+
+
+def test_authorize_page_http_not_allowed(flask_client):
+    """make sure to redirect user to redirect_url?error=http_not_allowed"""
+    user = login(flask_client)
+    client = Client.create_new("test client", user.id)
+
+    db.session.commit()
+
+    r = flask_client.get(
+        url_for(
+            "oauth.authorize",
+            client_id=client.oauth_client_id,
+            state="teststate",
+            redirect_uri="http://mywebsite.com",
+            response_type="code",
+        )
+    )
+
+    assert r.status_code == 302
+    assert r.location == "http://mywebsite.com?error=http_not_allowed"
+
+
+def test_authorize_page_unknown_redirect_uri(flask_client):
+    """make sure to redirect user to redirect_url?error=unknown_redirect_uri"""
+    user = login(flask_client)
+    client = Client.create_new("test client", user.id)
+
+    db.session.commit()
+
+    r = flask_client.get(
+        url_for(
+            "oauth.authorize",
+            client_id=client.oauth_client_id,
+            state="teststate",
+            redirect_uri="https://unknown.com",
+            response_type="code",
+        )
+    )
+
+    assert r.status_code == 302
+    assert r.location == "https://unknown.com?error=unknown_redirect_uri"