summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2018-08-16 12:38:22 +0300
committerLars Wirzenius <liw@liw.fi>2018-08-16 12:38:22 +0300
commita2fa0e9ed35da83e4e6a2c4f5282473d132e1497 (patch)
tree4a03c0f020421e85f2f147ce7f15160e7b762a83
parent371b445213a8d38948b655ce16f5b7ccf9ba6e46 (diff)
downloadqvisqve-a2fa0e9ed35da83e4e6a2c4f5282473d132e1497.tar.gz
Fix: add state= parameter to redirect URI after successful auth
-rw-r--r--NEWS4
-rw-r--r--qvisqve/auth_router.py1
-rw-r--r--yarns/300-end-user-auth.yarn1
-rw-r--r--yarns/900-implements.yarn10
4 files changed, 14 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index cdade77..b9a5f59 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ Version 0.9+git, not yet released
There is a command line tool, `qvisqvetool`, for doing that from the
command line.
+* Bug fix: when Qvisqve redirects browser to the facade, after a
+ successful user authentication, it now includes the `state`
+ parameter from the original authorization request.
+
Version 0.9, released 2018-02-09
---------------------------------
diff --git a/qvisqve/auth_router.py b/qvisqve/auth_router.py
index 0313812..9dfb582 100644
--- a/qvisqve/auth_router.py
+++ b/qvisqve/auth_router.py
@@ -167,6 +167,7 @@ class AuthRouter(qvisqve.Router):
params = {
'code': code,
+ 'state': aa.get_state(),
}
url = '{}?{}'.format(
redirect_uri,
diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index da79b03..98295fb 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -149,6 +149,7 @@ browser see it.
AND HTTP Location header starts with https://facade/callback?
AND HTTP Location header is saved as LOCATION
AND authorization code from LOCATION is saved as CODE
+ AND state from LOCATION is RANDOM
The browser follows the redirect to the facade. The facade extracts
the authorization code, and uses its own client credentials to
diff --git a/yarns/900-implements.yarn b/yarns/900-implements.yarn
index d63472c..97f7689 100644
--- a/yarns/900-implements.yarn
+++ b/yarns/900-implements.yarn
@@ -160,6 +160,14 @@ This chapter shows the scenario step implementations.
params = urlparse.parse_qs(parts.query)
V[var2] = params['code'][0]
+ IMPLEMENTS THEN state from (\S+) is (\S+)
+ import urlparse
+ var1 = get_next_match()
+ var2 = get_next_match()
+ parts = urlparse.urlparse(V[var1])
+ params = urlparse.parse_qs(parts.query)
+ assertEqual(params['state'][0], var2)
+
IMPLEMENTS THEN remember HTTP (\S+) header as (.+)
header = get_next_match()
name = get_next_match()
@@ -291,5 +299,3 @@ This chapter shows the scenario step implementations.
assertTrue(tf is not None)
assertTrue(isinstance(tf, str))
assertTrue(tf != "")
-
-