diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-08-06 15:36:53 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-08-06 15:36:53 +0300 |
commit | 6225fa2953f1034d12bec3bde482ce44c26596cf (patch) | |
tree | be416022d13d8569a168bd906f5b58cff91e8815 | |
parent | 09feb01bd97c4b3e372750c0f894cd65ee42d86a (diff) | |
download | qvisqve-6225fa2953f1034d12bec3bde482ce44c26596cf.tar.gz |
Fix: if redirect uri is wrong, return 400 for token
-rw-r--r-- | qvisqve/auth_router.py | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/qvisqve/auth_router.py b/qvisqve/auth_router.py index 097b5e7..8917df5 100644 --- a/qvisqve/auth_router.py +++ b/qvisqve/auth_router.py @@ -85,6 +85,17 @@ class AuthRouter(qvisqve.Router): 'trace', msg_text='params', path=path, qs=qs, params=params, cleaned=cleaned) + client_id = cleaned.get('client_id') + redirect_uri = cleaned.get('redirect_uri') + app = self._apps.get(client_id) # Check the app exist + if app is None: + redirect_uri = '' + else: + callbacks = self._apps.get_callbacks(client_id) + if redirect_uri not in callbacks: + redirect_uri = '' + cleaned['redirect_uri'] = redirect_uri + aa = self._attempts.create_attempt(cleaned) form = bottle.template(login_form, attempt_id=aa.get_attempt_id()) headers = { @@ -129,11 +140,15 @@ class AuthRouter(qvisqve.Router): code = gen.create_nonce() aa.set_authorization_code(code) + redirect_uri = aa.get_redirect_uri() + if redirect_uri == '': + return qvisqve.bad_request_response('Bad request') + params = { 'code': code, } url = '{}?{}'.format( - aa.get_redirect_uri(), + redirect_uri, urllib.parse.urlencode(params) ) |