From a2fa0e9ed35da83e4e6a2c4f5282473d132e1497 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Thu, 16 Aug 2018 12:38:22 +0300
Subject: Fix: add state= parameter to redirect URI after successful auth

---
 NEWS                         |  4 ++++
 qvisqve/auth_router.py       |  1 +
 yarns/300-end-user-auth.yarn |  1 +
 yarns/900-implements.yarn    | 10 ++++++++--
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index cdade77..b9a5f59 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ Version 0.9+git, not yet released
   There is a command line tool, `qvisqvetool`, for doing that from the
   command line.
 
+* Bug fix: when Qvisqve redirects browser to the facade, after a
+  successful user authentication, it now includes the `state`
+  parameter from the original authorization request.
+
 Version 0.9, released 2018-02-09
 ---------------------------------
 
diff --git a/qvisqve/auth_router.py b/qvisqve/auth_router.py
index 0313812..9dfb582 100644
--- a/qvisqve/auth_router.py
+++ b/qvisqve/auth_router.py
@@ -167,6 +167,7 @@ class AuthRouter(qvisqve.Router):
 
         params = {
             'code': code,
+            'state': aa.get_state(),
         }
         url = '{}?{}'.format(
             redirect_uri,
diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index da79b03..98295fb 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -149,6 +149,7 @@ browser see it.
     AND HTTP Location header starts with https://facade/callback?
     AND HTTP Location header is saved as LOCATION
     AND authorization code from LOCATION is saved as CODE
+    AND state from LOCATION is RANDOM
 
 The browser follows the redirect to the facade. The facade extracts
 the authorization code, and uses its own client credentials to
diff --git a/yarns/900-implements.yarn b/yarns/900-implements.yarn
index d63472c..97f7689 100644
--- a/yarns/900-implements.yarn
+++ b/yarns/900-implements.yarn
@@ -160,6 +160,14 @@ This chapter shows the scenario step implementations.
     params = urlparse.parse_qs(parts.query)
     V[var2] = params['code'][0]
 
+    IMPLEMENTS THEN state from (\S+) is (\S+)
+    import urlparse
+    var1 = get_next_match()
+    var2 = get_next_match()
+    parts = urlparse.urlparse(V[var1])
+    params = urlparse.parse_qs(parts.query)
+    assertEqual(params['state'][0], var2)
+
     IMPLEMENTS THEN remember HTTP (\S+) header as (.+)
     header = get_next_match()
     name = get_next_match()
@@ -291,5 +299,3 @@ This chapter shows the scenario step implementations.
     assertTrue(tf is not None)
     assertTrue(isinstance(tf, str))
     assertTrue(tf != "")
-
-
-- 
cgit v1.2.1