diff options
| author | Jonathan Huot <JonathanHuot@users.noreply.github.com> | 2018-08-12 23:59:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-12 23:59:35 +0200 |
| commit | 21040fbbd19bd0ef47e9e8b38534e46bc90c7f3e (patch) | |
| tree | fde0e9781a6fb3f5df425a5840177e1544973c9e | |
| parent | f0958f021ab99429446ebfdef418f8426ebe00c4 (diff) | |
| parent | 52bd38de2df3d60271703db3d33372c05cbee792 (diff) | |
| download | oauthlib-21040fbbd19bd0ef47e9e8b38534e46bc90c7f3e.tar.gz | |
Merge branch 'master' into docs-jwt
| -rw-r--r-- | oauthlib/common.py | 2 | ||||
| -rw-r--r-- | oauthlib/oauth2/rfc6749/grant_types/authorization_code.py | 2 | ||||
| -rw-r--r-- | oauthlib/oauth2/rfc6749/parameters.py | 4 | ||||
| -rw-r--r-- | tests/oauth2/rfc6749/clients/test_mobile_application.py | 2 | ||||
| -rw-r--r-- | tests/oauth2/rfc6749/endpoints/test_error_responses.py | 16 | ||||
| -rw-r--r-- | tests/oauth2/rfc6749/test_parameters.py | 2 | ||||
| -rw-r--r-- | tests/test_common.py | 2 |
7 files changed, 27 insertions, 3 deletions
diff --git a/oauthlib/common.py b/oauthlib/common.py index f25656f..c1180e6 100644 --- a/oauthlib/common.py +++ b/oauthlib/common.py @@ -114,7 +114,7 @@ def decode_params_utf8(params): return decoded -urlencoded = set(always_safe) | set('=&;:%+~,*@!()/?') +urlencoded = set(always_safe) | set('=&;:%+~,*@!()/?\'$') def urldecode(query): diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py index 0660263..3d08871 100644 --- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py +++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py @@ -312,6 +312,8 @@ class AuthorizationCodeGrant(GrantTypeBase): log.debug('Using default redirect_uri %s.', request.redirect_uri) if not request.redirect_uri: raise errors.MissingRedirectURIError(request=request) + if not is_absolute_uri(request.redirect_uri): + raise errors.InvalidRedirectURIError(request=request) # Then check for normal errors. diff --git a/oauthlib/oauth2/rfc6749/parameters.py b/oauthlib/oauth2/rfc6749/parameters.py index 9ea8c44..c5127e7 100644 --- a/oauthlib/oauth2/rfc6749/parameters.py +++ b/oauthlib/oauth2/rfc6749/parameters.py @@ -279,6 +279,10 @@ def parse_implicit_response(uri, state=None, scope=None): fragment = urlparse.urlparse(uri).fragment params = dict(urlparse.parse_qsl(fragment, keep_blank_values=True)) + for key in ('expires_in',): + if key in params: # cast things to int + params[key] = int(params[key]) + if 'scope' in params: params['scope'] = scope_to_list(params['scope']) diff --git a/tests/oauth2/rfc6749/clients/test_mobile_application.py b/tests/oauth2/rfc6749/clients/test_mobile_application.py index 51e4dab..622b275 100644 --- a/tests/oauth2/rfc6749/clients/test_mobile_application.py +++ b/tests/oauth2/rfc6749/clients/test_mobile_application.py @@ -40,7 +40,7 @@ class MobileApplicationClientTest(TestCase): token = { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", - "expires_in": "3600", + "expires_in": 3600, "expires_at": 4600, "scope": scope, "example_parameter": "example_value" diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py index 875b3a5..de0d834 100644 --- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py +++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py @@ -44,6 +44,22 @@ class ErrorResponseTest(TestCase): self.assertRaises(errors.InvalidRedirectURIError, self.mobile.create_authorization_response, uri.format('token'), scopes=['foo']) + def test_invalid_default_redirect_uri(self): + uri = 'https://example.com/authorize?response_type={0}&client_id=foo' + self.validator.get_default_redirect_uri.return_value = "wrong" + + # Authorization code grant + self.assertRaises(errors.InvalidRedirectURIError, + self.web.validate_authorization_request, uri.format('code')) + self.assertRaises(errors.InvalidRedirectURIError, + self.web.create_authorization_response, uri.format('code'), scopes=['foo']) + + # Implicit grant + self.assertRaises(errors.InvalidRedirectURIError, + self.mobile.validate_authorization_request, uri.format('token')) + self.assertRaises(errors.InvalidRedirectURIError, + self.mobile.create_authorization_response, uri.format('token'), scopes=['foo']) + def test_missing_redirect_uri(self): uri = 'https://example.com/authorize?response_type={0}&client_id=foo' diff --git a/tests/oauth2/rfc6749/test_parameters.py b/tests/oauth2/rfc6749/test_parameters.py index 6ba98c0..b211d1e 100644 --- a/tests/oauth2/rfc6749/test_parameters.py +++ b/tests/oauth2/rfc6749/test_parameters.py @@ -86,7 +86,7 @@ class ParameterTests(TestCase): 'access_token': '2YotnFZFEjr1zCsicMWpAA', 'state': state, 'token_type': 'example', - 'expires_in': '3600', + 'expires_in': 3600, 'expires_at': 4600, 'scope': ['abc'] } diff --git a/tests/test_common.py b/tests/test_common.py index b0ea20d..fb4bd5b 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -39,6 +39,8 @@ class EncodingTest(TestCase): self.assertItemsEqual(urldecode('foo=bar@spam'), [('foo', 'bar@spam')]) self.assertItemsEqual(urldecode('foo=bar/baz'), [('foo', 'bar/baz')]) self.assertItemsEqual(urldecode('foo=bar?baz'), [('foo', 'bar?baz')]) + self.assertItemsEqual(urldecode('foo=bar\'s'), [('foo', 'bar\'s')]) + self.assertItemsEqual(urldecode('foo=$'), [('foo', '$')]) self.assertRaises(ValueError, urldecode, 'foo bar') self.assertRaises(ValueError, urldecode, '%R') self.assertRaises(ValueError, urldecode, '%RA') |