Merge pull request #55 from coreos-inc/oauthdeny

Fix OAuth redirect for denial action when generating for internal tokens
2015-06-05 14:00:16 -04:00 · 2015-06-05 14:00:16 -04:00 · e09d84b3c8
commit e09d84b3c8
parent 2a2414d6af 5516911de9
5 changed files with 56 additions and 16 deletions
--- a/data/model/oauth.py
+++ b/data/model/oauth.py
@ -1,6 +1,7 @@
 import logging
 import json

+from flask import url_for
 from datetime import datetime, timedelta
 from oauth2lib.provider import AuthorizationProvider
 from oauth2lib import utils
@ -9,12 +10,10 @@ from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccess
                           random_string_generator)
 from data.model.legacy import get_user
 from auth import scopes
-from flask import render_template


 logger = logging.getLogger(__name__)

-
 class DatabaseAuthorizationProvider(AuthorizationProvider):
  def get_authorized_user(self):
    raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')
@ -45,9 +44,12 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
      return False

  def validate_redirect_uri(self, client_id, redirect_uri):
+    if redirect_uri == url_for('web.oauth_local_handler', _external=True):
+      return True
+
    try:
-      app = OAuthApplication.get(client_id=client_id)
-      if app.redirect_uri and redirect_uri and redirect_uri.startswith(app.redirect_uri):
+      oauth_app = OAuthApplication.get(client_id=client_id)
+      if oauth_app.redirect_uri and redirect_uri and redirect_uri.startswith(oauth_app.redirect_uri):
        return True
      return False
    except OAuthApplication.DoesNotExist:
@ -106,9 +108,9 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
      return None

  def persist_authorization_code(self, client_id, code, scope):
-    app = OAuthApplication.get(client_id=client_id)
+    oauth_app = OAuthApplication.get(client_id=client_id)
    data = self._generate_data_string()
-    OAuthAuthorizationCode.create(application=app, code=code, scope=scope, data=data)
+    OAuthAuthorizationCode.create(application=oauth_app, code=code, scope=scope, data=data)

  def persist_token_information(self, client_id, scope, access_token, token_type, expires_in,
                                refresh_token, data):
@ -116,9 +118,9 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
    if not user:
      raise RuntimeError('Username must be in the data field')

-    app = OAuthApplication.get(client_id=client_id)
+    oauth_app = OAuthApplication.get(client_id=client_id)
    expires_at = datetime.utcnow() + timedelta(seconds=expires_in)
-    OAuthAccessToken.create(application=app, authorized_user=user, scope=scope,
+    OAuthAccessToken.create(application=oauth_app, authorized_user=user, scope=scope,
                            access_token=access_token, token_type=token_type,
                            expires_at=expires_at, refresh_token=refresh_token, data=data)

@ -163,7 +165,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):

    # Check redirect URI
    is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
-    if redirect_uri != 'display' and not is_valid_redirect_uri:
+    if not is_valid_redirect_uri:
      return self._invalid_redirect_uri_response()

    # Check conditions
@ -198,10 +200,6 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
    url = utils.build_url(redirect_uri, params)
    url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)

-    if redirect_uri == 'display':
-      return self._make_response(
-        render_template("message.html", message="Access Token: " + access_token))
-
    return self._make_response(headers={'Location': url}, status_code=302)