diff options
| author | Jonathan Huot <JonathanHuot@users.noreply.github.com> | 2018-08-12 23:58:28 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-12 23:58:28 +0200 |
| commit | 52bd38de2df3d60271703db3d33372c05cbee792 (patch) | |
| tree | 859bbe9fb229aa2608a955d4702939c76ae6ddd6 | |
| parent | 05b118586b805f631d2f38329b3cdbd9243614a3 (diff) | |
| parent | a8df0a2b3e11626301bd260ac1ee2543d915e875 (diff) | |
| download | oauthlib-52bd38de2df3d60271703db3d33372c05cbee792.tar.gz | |
Merge pull request #567 from oauthlib/get_default_redir
Add syntax check of get_default_redirect_uri
| -rw-r--r-- | oauthlib/oauth2/rfc6749/grant_types/authorization_code.py | 2 | ||||
| -rw-r--r-- | tests/oauth2/rfc6749/endpoints/test_error_responses.py | 16 |
2 files changed, 18 insertions, 0 deletions
diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py index 0660263..3d08871 100644 --- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py +++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py @@ -312,6 +312,8 @@ class AuthorizationCodeGrant(GrantTypeBase): log.debug('Using default redirect_uri %s.', request.redirect_uri) if not request.redirect_uri: raise errors.MissingRedirectURIError(request=request) + if not is_absolute_uri(request.redirect_uri): + raise errors.InvalidRedirectURIError(request=request) # Then check for normal errors. diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py index 875b3a5..de0d834 100644 --- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py +++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py @@ -44,6 +44,22 @@ class ErrorResponseTest(TestCase): self.assertRaises(errors.InvalidRedirectURIError, self.mobile.create_authorization_response, uri.format('token'), scopes=['foo']) + def test_invalid_default_redirect_uri(self): + uri = 'https://example.com/authorize?response_type={0}&client_id=foo' + self.validator.get_default_redirect_uri.return_value = "wrong" + + # Authorization code grant + self.assertRaises(errors.InvalidRedirectURIError, + self.web.validate_authorization_request, uri.format('code')) + self.assertRaises(errors.InvalidRedirectURIError, + self.web.create_authorization_response, uri.format('code'), scopes=['foo']) + + # Implicit grant + self.assertRaises(errors.InvalidRedirectURIError, + self.mobile.validate_authorization_request, uri.format('token')) + self.assertRaises(errors.InvalidRedirectURIError, + self.mobile.create_authorization_response, uri.format('token'), scopes=['foo']) + def test_missing_redirect_uri(self): uri = 'https://example.com/authorize?response_type={0}&client_id=foo' |