From 6225fa2953f1034d12bec3bde482ce44c26596cf Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Mon, 6 Aug 2018 15:36:53 +0300
Subject: Fix: if redirect uri is wrong, return 400 for token

---
 qvisqve/auth_router.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/qvisqve/auth_router.py b/qvisqve/auth_router.py
index 097b5e7..8917df5 100644
--- a/qvisqve/auth_router.py
+++ b/qvisqve/auth_router.py
@@ -85,6 +85,17 @@ class AuthRouter(qvisqve.Router):
             'trace', msg_text='params', path=path, qs=qs, params=params,
             cleaned=cleaned)
 
+        client_id = cleaned.get('client_id')
+        redirect_uri = cleaned.get('redirect_uri')
+        app = self._apps.get(client_id)  # Check the app exist
+        if app is None:
+            redirect_uri = ''
+        else:
+            callbacks = self._apps.get_callbacks(client_id)
+            if redirect_uri not in callbacks:
+                redirect_uri = ''
+        cleaned['redirect_uri'] = redirect_uri
+
         aa = self._attempts.create_attempt(cleaned)
         form = bottle.template(login_form, attempt_id=aa.get_attempt_id())
         headers = {
@@ -129,11 +140,15 @@ class AuthRouter(qvisqve.Router):
         code = gen.create_nonce()
         aa.set_authorization_code(code)
 
+        redirect_uri = aa.get_redirect_uri()
+        if redirect_uri == '':
+            return qvisqve.bad_request_response('Bad request')
+
         params = {
             'code': code,
         }
         url = '{}?{}'.format(
-            aa.get_redirect_uri(),
+            redirect_uri,
             urllib.parse.urlencode(params)
         )
 
-- 
cgit v1.2.1