redirect to ?error=invalid_client_id|http_not_allowed|unknown_redirect_uri instead of return 400
This commit is contained in:
parent
61a3844ec4
commit
c66f424c51
|
@ -66,17 +66,23 @@ def authorize():
|
||||||
|
|
||||||
client = Client.get_by(oauth_client_id=oauth_client_id)
|
client = Client.get_by(oauth_client_id=oauth_client_id)
|
||||||
if not client:
|
if not client:
|
||||||
return f"no such client with oauth-client-id {oauth_client_id}", 400
|
final_redirect_uri = (
|
||||||
|
f"{redirect_uri}?error=invalid_client_id&client_id={oauth_client_id}"
|
||||||
|
)
|
||||||
|
return redirect(final_redirect_uri)
|
||||||
|
|
||||||
# check if redirect_uri is valid
|
# check if redirect_uri is valid
|
||||||
# allow localhost by default
|
# allow localhost by default
|
||||||
hostname, scheme = get_host_name_and_scheme(redirect_uri)
|
hostname, scheme = get_host_name_and_scheme(redirect_uri)
|
||||||
if hostname != "localhost" and hostname != "127.0.0.1":
|
if hostname != "localhost" and hostname != "127.0.0.1":
|
||||||
if scheme != "https":
|
# support custom scheme for mobile app
|
||||||
return "Only https is supported", 400
|
if scheme == "http":
|
||||||
|
final_redirect_uri = f"{redirect_uri}?error=http_not_allowed"
|
||||||
|
return redirect(final_redirect_uri)
|
||||||
|
|
||||||
if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
|
if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
|
||||||
return f"{redirect_uri} is not authorized", 400
|
final_redirect_uri = f"{redirect_uri}?error=unknown_redirect_uri"
|
||||||
|
return redirect(final_redirect_uri)
|
||||||
|
|
||||||
# redirect from client website
|
# redirect from client website
|
||||||
if request.method == "GET":
|
if request.method == "GET":
|
||||||
|
|
|
@ -616,3 +616,69 @@ def test_authorize_code_id_token_flow(flask_client):
|
||||||
|
|
||||||
# id_token must be a valid, correctly signed JWT
|
# id_token must be a valid, correctly signed JWT
|
||||||
assert verify_id_token(r.json["id_token"])
|
assert verify_id_token(r.json["id_token"])
|
||||||
|
|
||||||
|
|
||||||
|
def test_authorize_page_invalid_client_id(flask_client):
|
||||||
|
"""make sure to redirect user to redirect_url?error=invalid_client_id"""
|
||||||
|
user = login(flask_client)
|
||||||
|
client = Client.create_new("test client", user.id)
|
||||||
|
|
||||||
|
db.session.commit()
|
||||||
|
|
||||||
|
r = flask_client.get(
|
||||||
|
url_for(
|
||||||
|
"oauth.authorize",
|
||||||
|
client_id="invalid_client_id",
|
||||||
|
state="teststate",
|
||||||
|
redirect_uri="http://localhost",
|
||||||
|
response_type="code",
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
assert r.status_code == 302
|
||||||
|
assert (
|
||||||
|
r.location
|
||||||
|
== "http://localhost?error=invalid_client_id&client_id=invalid_client_id"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def test_authorize_page_http_not_allowed(flask_client):
|
||||||
|
"""make sure to redirect user to redirect_url?error=http_not_allowed"""
|
||||||
|
user = login(flask_client)
|
||||||
|
client = Client.create_new("test client", user.id)
|
||||||
|
|
||||||
|
db.session.commit()
|
||||||
|
|
||||||
|
r = flask_client.get(
|
||||||
|
url_for(
|
||||||
|
"oauth.authorize",
|
||||||
|
client_id=client.oauth_client_id,
|
||||||
|
state="teststate",
|
||||||
|
redirect_uri="http://mywebsite.com",
|
||||||
|
response_type="code",
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
assert r.status_code == 302
|
||||||
|
assert r.location == "http://mywebsite.com?error=http_not_allowed"
|
||||||
|
|
||||||
|
|
||||||
|
def test_authorize_page_unknown_redirect_uri(flask_client):
|
||||||
|
"""make sure to redirect user to redirect_url?error=unknown_redirect_uri"""
|
||||||
|
user = login(flask_client)
|
||||||
|
client = Client.create_new("test client", user.id)
|
||||||
|
|
||||||
|
db.session.commit()
|
||||||
|
|
||||||
|
r = flask_client.get(
|
||||||
|
url_for(
|
||||||
|
"oauth.authorize",
|
||||||
|
client_id=client.oauth_client_id,
|
||||||
|
state="teststate",
|
||||||
|
redirect_uri="https://unknown.com",
|
||||||
|
response_type="code",
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
assert r.status_code == 302
|
||||||
|
assert r.location == "https://unknown.com?error=unknown_redirect_uri"
|
||||||
|
|
Loading…
Reference in New Issue