Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate authorize query #80

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Validate authorize query #80

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions nens_auth_client/cognito.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,3 +147,14 @@ def load_key(header, payload):

claims.validate(leeway=leeway)
return claims

def validate_authorize_request_params(self, query_params):
"""Returns a list of validation errors"""
result = []
if query_params.get("error"):
return result
if not query_params.get("code"):
result.append("missing 'code' parameter")
if not query_params.get("state"):
result.append("missing 'state' parameter")
return result
8 changes: 8 additions & 0 deletions nens_auth_client/tests/test_authorize_view.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,14 @@ def test_authorize_error_with_description(rf):
views.authorize(request)


@pytest.mark.parametrize("params", ["", "code=foo", "state=bar"])
def test_authorize_missing_query_params(rf):
request = rf.get(f"http://testserver/authorize/?{params}")
request.session = {}
response = views.authorize(request)
assert response.status_code == 400


def test_token_error(rq_mocker, rf, openid_configuration):
rq_mocker.post(
openid_configuration["token_endpoint"],
Expand Down
10 changes: 8 additions & 2 deletions nens_auth_client/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
from django.conf import settings
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.core.exceptions import PermissionDenied
from django.http.response import HttpResponseRedirect
from django.http.response import HttpResponseRedirect, JsonResponse
from django.shortcuts import get_object_or_404
from django.urls import reverse

Expand Down Expand Up @@ -134,6 +134,10 @@ def authorize(request):

HTTP 302 Redirect to the 'next' query parameter (see login view)

missing query parameters:

HTTP 400 Bad Request

invalid state / expired code:

HTTP 302 Redirect to the login view ('next' parameter is persisted, but
Expand All @@ -150,7 +154,9 @@ def authorize(request):
acceptable invitation.
"""
client = get_oauth_client()
# client.check_error_in_query_params(request)
validation_errors = client.validate_authorize_request_params(request.GET)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: underlying oauthlib also support request.POST, however I think we only are going to use that.

if validation_errors:
return JsonResponse({"errors": validation_errors}, status=400)
try:
tokens = client.authorize_access_token(
request, timeout=settings.NENS_AUTH_TIMEOUT
Expand Down