diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-08-16 12:38:22 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-08-16 12:38:22 +0300 |
commit | a2fa0e9ed35da83e4e6a2c4f5282473d132e1497 (patch) | |
tree | 4a03c0f020421e85f2f147ce7f15160e7b762a83 | |
parent | 371b445213a8d38948b655ce16f5b7ccf9ba6e46 (diff) | |
download | qvisqve-a2fa0e9ed35da83e4e6a2c4f5282473d132e1497.tar.gz |
Fix: add state= parameter to redirect URI after successful auth
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | qvisqve/auth_router.py | 1 | ||||
-rw-r--r-- | yarns/300-end-user-auth.yarn | 1 | ||||
-rw-r--r-- | yarns/900-implements.yarn | 10 |
4 files changed, 14 insertions, 2 deletions
@@ -13,6 +13,10 @@ Version 0.9+git, not yet released There is a command line tool, `qvisqvetool`, for doing that from the command line. +* Bug fix: when Qvisqve redirects browser to the facade, after a + successful user authentication, it now includes the `state` + parameter from the original authorization request. + Version 0.9, released 2018-02-09 --------------------------------- diff --git a/qvisqve/auth_router.py b/qvisqve/auth_router.py index 0313812..9dfb582 100644 --- a/qvisqve/auth_router.py +++ b/qvisqve/auth_router.py @@ -167,6 +167,7 @@ class AuthRouter(qvisqve.Router): params = { 'code': code, + 'state': aa.get_state(), } url = '{}?{}'.format( redirect_uri, diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn index da79b03..98295fb 100644 --- a/yarns/300-end-user-auth.yarn +++ b/yarns/300-end-user-auth.yarn @@ -149,6 +149,7 @@ browser see it. AND HTTP Location header starts with https://facade/callback? AND HTTP Location header is saved as LOCATION AND authorization code from LOCATION is saved as CODE + AND state from LOCATION is RANDOM The browser follows the redirect to the facade. The facade extracts the authorization code, and uses its own client credentials to diff --git a/yarns/900-implements.yarn b/yarns/900-implements.yarn index d63472c..97f7689 100644 --- a/yarns/900-implements.yarn +++ b/yarns/900-implements.yarn @@ -160,6 +160,14 @@ This chapter shows the scenario step implementations. params = urlparse.parse_qs(parts.query) V[var2] = params['code'][0] + IMPLEMENTS THEN state from (\S+) is (\S+) + import urlparse + var1 = get_next_match() + var2 = get_next_match() + parts = urlparse.urlparse(V[var1]) + params = urlparse.parse_qs(parts.query) + assertEqual(params['state'][0], var2) + IMPLEMENTS THEN remember HTTP (\S+) header as (.+) header = get_next_match() name = get_next_match() @@ -291,5 +299,3 @@ This chapter shows the scenario step implementations. assertTrue(tf is not None) assertTrue(isinstance(tf, str)) assertTrue(tf != "") - - |