Merge pull request #10 from stormsherpa/oauth_scopes

Fix scope handling and improve authorization flow
stormsherpa · Oct 8, 2020 · 29ad985 · 29ad985
2 parents 80cf527 + a92f403
commit 29ad985
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 20 deletions.
diff --git a/provider/__init__.py b/provider/__init__.py
@@ -1 +1 @@
-__version__ = "3.1"
+__version__ = "3.2"
diff --git a/provider/oauth2/forms.py b/provider/oauth2/forms.py
@@ -55,6 +55,11 @@ class ScopeModelChoiceField(forms.ModelMultipleChoiceField):
     def to_python(self, value):
         if isinstance(value, string_types):
             return [s for s in value.split(' ') if s != '']
+        elif isinstance(value, list):
+            value_list = list()
+            for item in value:
+                value_list.extend(self.to_python(item))
+            return value_list
         else:
             return value
 
@@ -330,14 +335,23 @@ def clean(self):
             )
         except Client.DoesNotExist:
             raise OAuthValidationError({'error': 'invalid_client'})
-        now = timezone.now()
+        now = timezone.now().astimezone(timezone.get_current_timezone())
         try:
+            redirect_uri = data.get('redirect_uri')
             grant = Grant.objects.get(
                 client=client,
                 code=data['code'],
-                redirect_uri=data.get('redirect_uri'),
-                expires__gt=now,
             )
+            if grant.redirect_uri and grant.redirect_uri != data.get('redirect_uri'):
+                raise OAuthValidationError({
+                    'error': 'invalid_grant',
+                    'debug': f'redirect_uri: {redirect_uri}',
+                })
+            if grant.expires < now:
+                raise OAuthValidationError({
+                    'error': 'invalid_grant',
+                    'debug': f'expries: {grant.expires}, now: {now}',
+                })
         except Grant.DoesNotExist:
             raise OAuthValidationError({'error': 'invalid_grant'})
 

diff --git a/provider/oauth2/tests/test_views.py b/provider/oauth2/tests/test_views.py
@@ -261,7 +261,10 @@ def url_func():
 
         state = 'def'
         response = self.client.get(url_func())
-        self.assertNotEqual(response.url, "/oauth2/authorize/confirm")
+        self.assertEqual(response.url, "/oauth2/authorize/confirm")
+
+        confirm_response = self.client.get(response.url)
+        self.assertEqual(confirm_response.status_code, 302)
 
     def test_authorize_every_time(self):
         state = 'abc'

diff --git a/provider/oauth2/views.py b/provider/oauth2/views.py
@@ -19,20 +19,6 @@ def validate_scopes(self, scope_list):
         return set(scope_list).issubset(scopes)
 
     def get_redirect_url(self, request):
-        client_id = request.GET.get('client_id')
-        try:
-            client = models.Client.objects.get(client_id=client_id)
-            if not client.authorize_every_time:
-                authorized = models.AuthorizedClient.objects.get(client__client_id=client_id)
-
-                requested_scopes = {s for s in
-                              request.GET.get('scope', '').split(' ') if s != ''}
-                authorized_scopes = set(authorized.scope.values_list('name', flat=True))
-                if requested_scopes.issubset(authorized_scopes):
-                    return reverse('oauth2:redirect')
-        except (models.AuthorizedClient.DoesNotExist, models.Client.DoesNotExist):
-            pass
-
         return reverse('oauth2:authorize')
 
 
@@ -56,9 +42,12 @@ def get_redirect_url(self, request):
         return reverse('oauth2:redirect')
 
     def has_authorization(self, request, client, scope_list):
-        authclient_mgr = models.AuthorizedClient.objects
         if client.auto_authorize:
             return True
+        if client.authorize_every_time:
+            return False
+
+        authclient_mgr = models.AuthorizedClient.objects
         auth = authclient_mgr.check_authorization_scope(request.user,
                                                         client,
                                                         scope_list)

diff --git a/tests/settings.py b/tests/settings.py
@@ -98,6 +98,8 @@
     'django.contrib.auth.hashers.SHA1PasswordHasher', # Used by unit tests
 ]
 
+USE_TZ = True
+
 # Use DiscoverRunner on Django 1.7 and above
 if DJANGO_VERSION[0] == 1 and DJANGO_VERSION[1] >= 7:
     TEST_RUNNER = 'django.test.runner.DiscoverRunner'