diff options
| author | Lars Wirzenius <liw@liw.fi> | 2018-08-16 12:38:22 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2018-08-16 12:38:22 +0300 |
| commit | a2fa0e9ed35da83e4e6a2c4f5282473d132e1497 (patch) | |
| tree | 4a03c0f020421e85f2f147ce7f15160e7b762a83 /yarns | |
| parent | 371b445213a8d38948b655ce16f5b7ccf9ba6e46 (diff) | |
| download | qvisqve-a2fa0e9ed35da83e4e6a2c4f5282473d132e1497.tar.gz | |
Fix: add state= parameter to redirect URI after successful auth
Diffstat (limited to 'yarns')
| -rw-r--r-- | yarns/300-end-user-auth.yarn | 1 | ||||
| -rw-r--r-- | yarns/900-implements.yarn | 10 |
2 files changed, 9 insertions, 2 deletions
diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn index da79b03..98295fb 100644 --- a/yarns/300-end-user-auth.yarn +++ b/yarns/300-end-user-auth.yarn @@ -149,6 +149,7 @@ browser see it. AND HTTP Location header starts with https://facade/callback? AND HTTP Location header is saved as LOCATION AND authorization code from LOCATION is saved as CODE + AND state from LOCATION is RANDOM The browser follows the redirect to the facade. The facade extracts the authorization code, and uses its own client credentials to diff --git a/yarns/900-implements.yarn b/yarns/900-implements.yarn index d63472c..97f7689 100644 --- a/yarns/900-implements.yarn +++ b/yarns/900-implements.yarn @@ -160,6 +160,14 @@ This chapter shows the scenario step implementations. params = urlparse.parse_qs(parts.query) V[var2] = params['code'][0] + IMPLEMENTS THEN state from (\S+) is (\S+) + import urlparse + var1 = get_next_match() + var2 = get_next_match() + parts = urlparse.urlparse(V[var1]) + params = urlparse.parse_qs(parts.query) + assertEqual(params['state'][0], var2) + IMPLEMENTS THEN remember HTTP (\S+) header as (.+) header = get_next_match() name = get_next_match() @@ -291,5 +299,3 @@ This chapter shows the scenario step implementations. assertTrue(tf is not None) assertTrue(isinstance(tf, str)) assertTrue(tf != "") - - |