Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def test_trusted_client_missing_code_verifier(self):
self.prepare_data('client_secret_basic')
url = self.authorize_url + '&code_challenge=foo'
rv = self.client.post(url, data={'user_id': '1'})
self.assertIn('code=', rv.location)
params = dict(url_decode(urlparse.urlparse(rv.location).query))
code = params['code']
headers = self.create_basic_header('code-client', 'code-secret')
rv = self.client.post('/oauth/token', data={
'grant_type': 'authorization_code',
'code': code,
}, headers=headers)
resp = json.loads(rv.data)
self.assertIn('Missing', resp['error_description'])
def test_authorize_token_has_refresh_token(self):
# generate refresh token
self.app.config.update({'OAUTH2_REFRESH_TOKEN_GENERATOR': True})
self.prepare_data(grant_type='authorization_code\nrefresh_token')
url = self.authorize_url + '&state=bar'
rv = self.client.post(url, data={'user_id': '1'})
self.assertIn('code=', rv.location)
params = dict(url_decode(urlparse.urlparse(rv.location).query))
self.assertEqual(params['state'], 'bar')
code = params['code']
headers = self.create_basic_header('code-client', 'code-secret')
rv = self.client.post('/oauth/token', data={
'grant_type': 'authorization_code',
'code': code,
}, headers=headers)
resp = json.loads(rv.data)
self.assertIn('access_token', resp)
self.assertIn('refresh_token', resp)
def test_s256_code_challenge_success(self):
self.prepare_data()
code_verifier = generate_token(48)
code_challenge = create_s256_code_challenge(code_verifier)
url = self.authorize_url + '&code_challenge=' + code_challenge
url += '&code_challenge_method=S256'
rv = self.client.post(url, data={'user_id': '1'})
self.assertIn('code=', rv.location)
params = dict(url_decode(urlparse.urlparse(rv.location).query))
code = params['code']
rv = self.client.post('/oauth/token', data={
'grant_type': 'authorization_code',
'code': code,
'code_verifier': code_verifier,
'client_id': 'code-client',
})
resp = json.loads(rv.data)
self.assertIn('access_token', resp)
def __init__(self, method, uri, body=None, headers=None):
InsecureTransportError.check(uri)
#: HTTP method
self.method = method
self.uri = uri
self.body = body
#: HTTP headers
self.headers = headers or {}
self.query = urlparse.urlparse(uri).query
self.args = dict(url_decode(self.query))
self.form = self.body or {}
#: dict of query and body params
data = {}
data.update(self.args)
data.update(self.form)
self.data = data
#: authenticate method
self.auth_method = None
#: authenticated user on this request
self.user = None
#: authorization_code or token model instance
self.credential = None
#: client which sending this request
self.client = None
def _revoke_token(self, url, body=None, auth=None, headers=None, **kwargs):
return self.session.post(
url, data=dict(url_decode(body)),
headers=headers, auth=auth, **kwargs)
def parse_authorization_response(self, url):
"""Extract parameters from the post authorization redirect
response URL.
:param url: The full URL that resulted from the user being redirected
back from the OAuth provider to you, the client.
:returns: A dict of parameters extracted from the URL.
"""
token = dict(url_decode(urlparse.urlparse(url).query))
self.token = token
return token
def _token_response(resp):
data = dict(url_decode(resp.text))
data['token_type'] = 'Bearer'
data['expires_in'] = int(data['expires'])
resp.json = lambda: data
return resp