mirror of
https://github.com/simple-login/app.git
synced 2024-09-27 20:31:30 +02:00
redirect to ?error=invalid_client_id|http_not_allowed|unknown_redirect_uri instead of return 400
This commit is contained in:
parent
61a3844ec4
commit
c66f424c51
@ -66,17 +66,23 @@ def authorize():
|
||||
|
||||
client = Client.get_by(oauth_client_id=oauth_client_id)
|
||||
if not client:
|
||||
return f"no such client with oauth-client-id {oauth_client_id}", 400
|
||||
final_redirect_uri = (
|
||||
f"{redirect_uri}?error=invalid_client_id&client_id={oauth_client_id}"
|
||||
)
|
||||
return redirect(final_redirect_uri)
|
||||
|
||||
# check if redirect_uri is valid
|
||||
# allow localhost by default
|
||||
hostname, scheme = get_host_name_and_scheme(redirect_uri)
|
||||
if hostname != "localhost" and hostname != "127.0.0.1":
|
||||
if scheme != "https":
|
||||
return "Only https is supported", 400
|
||||
# support custom scheme for mobile app
|
||||
if scheme == "http":
|
||||
final_redirect_uri = f"{redirect_uri}?error=http_not_allowed"
|
||||
return redirect(final_redirect_uri)
|
||||
|
||||
if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
|
||||
return f"{redirect_uri} is not authorized", 400
|
||||
final_redirect_uri = f"{redirect_uri}?error=unknown_redirect_uri"
|
||||
return redirect(final_redirect_uri)
|
||||
|
||||
# redirect from client website
|
||||
if request.method == "GET":
|
||||
|
@ -616,3 +616,69 @@ def test_authorize_code_id_token_flow(flask_client):
|
||||
|
||||
# id_token must be a valid, correctly signed JWT
|
||||
assert verify_id_token(r.json["id_token"])
|
||||
|
||||
|
||||
def test_authorize_page_invalid_client_id(flask_client):
|
||||
"""make sure to redirect user to redirect_url?error=invalid_client_id"""
|
||||
user = login(flask_client)
|
||||
client = Client.create_new("test client", user.id)
|
||||
|
||||
db.session.commit()
|
||||
|
||||
r = flask_client.get(
|
||||
url_for(
|
||||
"oauth.authorize",
|
||||
client_id="invalid_client_id",
|
||||
state="teststate",
|
||||
redirect_uri="http://localhost",
|
||||
response_type="code",
|
||||
)
|
||||
)
|
||||
|
||||
assert r.status_code == 302
|
||||
assert (
|
||||
r.location
|
||||
== "http://localhost?error=invalid_client_id&client_id=invalid_client_id"
|
||||
)
|
||||
|
||||
|
||||
def test_authorize_page_http_not_allowed(flask_client):
|
||||
"""make sure to redirect user to redirect_url?error=http_not_allowed"""
|
||||
user = login(flask_client)
|
||||
client = Client.create_new("test client", user.id)
|
||||
|
||||
db.session.commit()
|
||||
|
||||
r = flask_client.get(
|
||||
url_for(
|
||||
"oauth.authorize",
|
||||
client_id=client.oauth_client_id,
|
||||
state="teststate",
|
||||
redirect_uri="http://mywebsite.com",
|
||||
response_type="code",
|
||||
)
|
||||
)
|
||||
|
||||
assert r.status_code == 302
|
||||
assert r.location == "http://mywebsite.com?error=http_not_allowed"
|
||||
|
||||
|
||||
def test_authorize_page_unknown_redirect_uri(flask_client):
|
||||
"""make sure to redirect user to redirect_url?error=unknown_redirect_uri"""
|
||||
user = login(flask_client)
|
||||
client = Client.create_new("test client", user.id)
|
||||
|
||||
db.session.commit()
|
||||
|
||||
r = flask_client.get(
|
||||
url_for(
|
||||
"oauth.authorize",
|
||||
client_id=client.oauth_client_id,
|
||||
state="teststate",
|
||||
redirect_uri="https://unknown.com",
|
||||
response_type="code",
|
||||
)
|
||||
)
|
||||
|
||||
assert r.status_code == 302
|
||||
assert r.location == "https://unknown.com?error=unknown_redirect_uri"
|
||||
|
Loading…
Reference in New Issue
Block a user