Mitigate open redirect with OAuth (#1176)

* Mitigate open redirect with OAuth * Fix tests
2024-11-18 01:40:38 +01:00 · 2022-07-21 14:23:08 +02:00 · 2022-07-21 14:23:08 +02:00 · f1b22d4ef9
commit f1b22d4ef9
parent 598d912f2e
2 changed files with 6 additions and 6 deletions
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@ -78,13 +78,13 @@ def authorize():
    if hostname != "localhost" and hostname != "127.0.0.1":
        # support custom scheme for mobile app
        if scheme == "http":
-            final_redirect_uri = f"{redirect_uri}?error=http_not_allowed"
+            flash("The external client must use HTTPS", "error")
-            return redirect(final_redirect_uri)
+            return redirect(url_for("dashboard.index"))
        # check if redirect_uri is valid
        if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
-            final_redirect_uri = f"{redirect_uri}?error=unknown_redirect_uri"
+            flash("The external client is using an invalid URL", "error")
-            return redirect(final_redirect_uri)
+            return redirect(url_for("dashboard.index"))
    # redirect from client website
    if request.method == "GET":
--- a/tests/oauth/test_authorize.py
+++ b/tests/oauth/test_authorize.py
@ -724,7 +724,7 @@ def test_authorize_page_http_not_allowed(flask_client):
    )
    assert r.status_code == 302
-    assert r.location == "http://mywebsite.com?error=http_not_allowed"
+    assert r.location == url_for("dashboard.index")
 def test_authorize_page_unknown_redirect_uri(flask_client):
@ -746,4 +746,4 @@ def test_authorize_page_unknown_redirect_uri(flask_client):
    )
    assert r.status_code == 302
-    assert r.location == "https://unknown.com?error=unknown_redirect_uri"
+    assert r.location == url_for("dashboard.index")