From b7f487da42f5e09b41f0750f7ba15f2d50d71f85 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 1 Sep 2015 15:03:46 -0400
Subject: [PATCH] Build the OAuth redirect URL ourselves, rather than relying
 on undocumented Flask behavior

---
 app.py              | 5 +++--
 data/model/oauth.py | 8 ++++++--
 util/__init__.py    | 3 +++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/app.py b/app.py
index d87c4e89a..1c968f62f 100644
--- a/app.py
+++ b/app.py
@@ -2,6 +2,7 @@ import logging
 import os
 import json
 
+from functools import partial
 from flask import Flask, request, Request, _request_ctx_stack
 from flask.ext.principal import Principal
 from flask.ext.login import LoginManager, UserMixin
@@ -21,6 +22,7 @@ from data.buildlogs import BuildLogs
 from data.archivedlogs import LogArchive
 from data.userevent import UserEventsBuilderModule
 from data.queue import WorkQueue, MetricQueueReporter
+from util import get_app_url
 from util.saas.analytics import Analytics
 from util.saas.exceptionlog import Sentry
 from util.names import urn_generator
@@ -173,5 +175,4 @@ class LoginWrappedDBUser(UserMixin):
   def get_id(self):
     return unicode(self._uuid)
 
-def get_app_url():
-  return '%s://%s' % (app.config['PREFERRED_URL_SCHEME'], app.config['SERVER_HOSTNAME'])
+get_app_url = partial(get_app_url, app.config)
diff --git a/data/model/oauth.py b/data/model/oauth.py
index 8c3fb5624..bdec2f7a1 100644
--- a/data/model/oauth.py
+++ b/data/model/oauth.py
@@ -8,8 +8,9 @@ from oauth2lib import utils
 
 from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccessToken, User,
                            AccessToken, random_string_generator)
-from data.model import user
+from data.model import user, config
 from auth import scopes
+from util import get_app_url
 
 
 logger = logging.getLogger(__name__)
@@ -45,7 +46,10 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
       return False
 
   def validate_redirect_uri(self, client_id, redirect_uri):
-    if redirect_uri == url_for('web.oauth_local_handler', _external=True):
+    internal_redirect_url = '%s%s' % (get_app_url(config.app_config),
+                                      url_for('web.oauth_local_handler'))
+
+    if redirect_uri == internal_redirect_url:
       return True
 
     try:
diff --git a/util/__init__.py b/util/__init__.py
index e69de29bb..cbabb8fbe 100644
--- a/util/__init__.py
+++ b/util/__init__.py
@@ -0,0 +1,3 @@
+def get_app_url(config):
+  """ Returns the application's URL, based on the given config. """
+  return '%s://%s' % (config['PREFERRED_URL_SCHEME'], config['SERVER_HOSTNAME'])