Fix OAuth redirect for denial action when generating for internal tokens
This commit is contained in:
Joseph Schorr
parent
dd28a845db
commit
5516911de9
5 changed files with 56 additions and 16 deletions
|
|
@ -1,6 +1,7 @@
|
|||
import logging
|
||||
import json
|
||||
|
||||
from flask import url_for
|
||||
from datetime import datetime, timedelta
|
||||
from oauth2lib.provider import AuthorizationProvider
|
||||
from oauth2lib import utils
|
||||
|
|
@ -9,12 +10,10 @@ from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccess
|
|||
random_string_generator)
|
||||
from data.model.legacy import get_user
|
||||
from auth import scopes
|
||||
from flask import render_template
|
||||
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class DatabaseAuthorizationProvider(AuthorizationProvider):
|
||||
def get_authorized_user(self):
|
||||
raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')
|
||||
|
|
@ -45,9 +44,12 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
|
|||
return False
|
||||
|
||||
def validate_redirect_uri(self, client_id, redirect_uri):
|
||||
if redirect_uri == url_for('web.oauth_local_handler', _external=True):
|
||||
return True
|
||||
|
||||
try:
|
||||
app = OAuthApplication.get(client_id=client_id)
|
||||
if app.redirect_uri and redirect_uri and redirect_uri.startswith(app.redirect_uri):
|
||||
oauth_app = OAuthApplication.get(client_id=client_id)
|
||||
if oauth_app.redirect_uri and redirect_uri and redirect_uri.startswith(oauth_app.redirect_uri):
|
||||
return True
|
||||
return False
|
||||
except OAuthApplication.DoesNotExist:
|
||||
|
|
@ -106,9 +108,9 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
|
|||
return None
|
||||
|
||||
def persist_authorization_code(self, client_id, code, scope):
|
||||
app = OAuthApplication.get(client_id=client_id)
|
||||
oauth_app = OAuthApplication.get(client_id=client_id)
|
||||
data = self._generate_data_string()
|
||||
OAuthAuthorizationCode.create(application=app, code=code, scope=scope, data=data)
|
||||
OAuthAuthorizationCode.create(application=oauth_app, code=code, scope=scope, data=data)
|
||||
|
||||
def persist_token_information(self, client_id, scope, access_token, token_type, expires_in,
|
||||
refresh_token, data):
|
||||
|
|
@ -116,9 +118,9 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
|
|||
if not user:
|
||||
raise RuntimeError('Username must be in the data field')
|
||||
|
||||
app = OAuthApplication.get(client_id=client_id)
|
||||
oauth_app = OAuthApplication.get(client_id=client_id)
|
||||
expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
|
||||
OAuthAccessToken.create(application=app, authorized_user=user, scope=scope,
|
||||
OAuthAccessToken.create(application=oauth_app, authorized_user=user, scope=scope,
|
||||
access_token=access_token, token_type=token_type,
|
||||
expires_at=expires_at, refresh_token=refresh_token, data=data)
|
||||
|
||||
|
|
@ -163,7 +165,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
|
|||
|
||||
# Check redirect URI
|
||||
is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
|
||||
if redirect_uri != 'display' and not is_valid_redirect_uri:
|
||||
if not is_valid_redirect_uri:
|
||||
return self._invalid_redirect_uri_response()
|
||||
|
||||
# Check conditions
|
||||
|
|
@ -198,10 +200,6 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
|
|||
url = utils.build_url(redirect_uri, params)
|
||||
url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)
|
||||
|
||||
if redirect_uri == 'display':
|
||||
return self._make_response(
|
||||
render_template("message.html", message="Access Token: " + access_token))
|
||||
|
||||
return self._make_response(headers={'Location': url}, status_code=302)
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue