diff --git a/provider/__init__.py b/provider/__init__.py index ec2d1d5..080e846 100644 --- a/provider/__init__.py +++ b/provider/__init__.py @@ -1 +1 @@ -__version__ = "3.1" +__version__ = "3.2" diff --git a/provider/oauth2/forms.py b/provider/oauth2/forms.py index edffce6..f51a3c9 100644 --- a/provider/oauth2/forms.py +++ b/provider/oauth2/forms.py @@ -55,6 +55,11 @@ class ScopeModelChoiceField(forms.ModelMultipleChoiceField): def to_python(self, value): if isinstance(value, string_types): return [s for s in value.split(' ') if s != ''] + elif isinstance(value, list): + value_list = list() + for item in value: + value_list.extend(self.to_python(item)) + return value_list else: return value @@ -330,14 +335,23 @@ def clean(self): ) except Client.DoesNotExist: raise OAuthValidationError({'error': 'invalid_client'}) - now = timezone.now() + now = timezone.now().astimezone(timezone.get_current_timezone()) try: + redirect_uri = data.get('redirect_uri') grant = Grant.objects.get( client=client, code=data['code'], - redirect_uri=data.get('redirect_uri'), - expires__gt=now, ) + if grant.redirect_uri and grant.redirect_uri != data.get('redirect_uri'): + raise OAuthValidationError({ + 'error': 'invalid_grant', + 'debug': f'redirect_uri: {redirect_uri}', + }) + if grant.expires < now: + raise OAuthValidationError({ + 'error': 'invalid_grant', + 'debug': f'expries: {grant.expires}, now: {now}', + }) except Grant.DoesNotExist: raise OAuthValidationError({'error': 'invalid_grant'}) diff --git a/provider/oauth2/tests/test_views.py b/provider/oauth2/tests/test_views.py index 5e9ae30..78da3b2 100644 --- a/provider/oauth2/tests/test_views.py +++ b/provider/oauth2/tests/test_views.py @@ -261,7 +261,10 @@ def url_func(): state = 'def' response = self.client.get(url_func()) - self.assertNotEqual(response.url, "/oauth2/authorize/confirm") + self.assertEqual(response.url, "/oauth2/authorize/confirm") + + confirm_response = self.client.get(response.url) + self.assertEqual(confirm_response.status_code, 302) def test_authorize_every_time(self): state = 'abc' diff --git a/provider/oauth2/views.py b/provider/oauth2/views.py index d01c85d..ccc9db8 100644 --- a/provider/oauth2/views.py +++ b/provider/oauth2/views.py @@ -19,20 +19,6 @@ def validate_scopes(self, scope_list): return set(scope_list).issubset(scopes) def get_redirect_url(self, request): - client_id = request.GET.get('client_id') - try: - client = models.Client.objects.get(client_id=client_id) - if not client.authorize_every_time: - authorized = models.AuthorizedClient.objects.get(client__client_id=client_id) - - requested_scopes = {s for s in - request.GET.get('scope', '').split(' ') if s != ''} - authorized_scopes = set(authorized.scope.values_list('name', flat=True)) - if requested_scopes.issubset(authorized_scopes): - return reverse('oauth2:redirect') - except (models.AuthorizedClient.DoesNotExist, models.Client.DoesNotExist): - pass - return reverse('oauth2:authorize') @@ -56,9 +42,12 @@ def get_redirect_url(self, request): return reverse('oauth2:redirect') def has_authorization(self, request, client, scope_list): - authclient_mgr = models.AuthorizedClient.objects if client.auto_authorize: return True + if client.authorize_every_time: + return False + + authclient_mgr = models.AuthorizedClient.objects auth = authclient_mgr.check_authorization_scope(request.user, client, scope_list) diff --git a/tests/settings.py b/tests/settings.py index ffe5c4e..fa85b1f 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -98,6 +98,8 @@ 'django.contrib.auth.hashers.SHA1PasswordHasher', # Used by unit tests ] +USE_TZ = True + # Use DiscoverRunner on Django 1.7 and above if DJANGO_VERSION[0] == 1 and DJANGO_VERSION[1] >= 7: TEST_RUNNER = 'django.test.runner.DiscoverRunner'