From 43a56e865e7149bc2996e653dbde0c2c0283a15f Mon Sep 17 00:00:00 2001 From: Danielle McLean Date: Fri, 3 Nov 2017 15:51:27 +1100 Subject: [PATCH] Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for --- lemonauth/tokens.py | 8 +++++--- lemonauth/views/indie.py | 7 ++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/lemonauth/tokens.py b/lemonauth/tokens.py index 240f5cd..8645912 100644 --- a/lemonauth/tokens.py +++ b/lemonauth/tokens.py @@ -12,14 +12,16 @@ def decode(token): return jwt.decode(token, settings.SECRET_KEY, algorithms=('HS256',)) -def gen_auth_code(post): +def gen_auth_code(req): + post = req.POST params = {'me': post['me']} if 'state' in post: params['state'] = post['state'] code = { 'me': post['me'], - 'id': post['client_id'], + 'uid': req.user.id, + 'cid': post['client_id'], 'uri': post['redirect_uri'], 'typ': post.get('response_type', 'id'), 'iat': datetime.utcnow(), @@ -29,7 +31,7 @@ def gen_auth_code(post): code['sco'] = ' '.join(post.getlist('scope')) params['code'] = encode(code) - return params + return (post['redirect_uri'], params) def verify_auth_code(c): diff --git a/lemonauth/views/indie.py b/lemonauth/views/indie.py index e78c6ad..8dab3ce 100644 --- a/lemonauth/views/indie.py +++ b/lemonauth/views/indie.py @@ -101,7 +101,7 @@ class IndieView(TemplateView): return utils.bad_req( 'this endpoint only supports response_type=id' ) - if code['id'] != post.get('client_id'): + if code['cid'] != post.get('client_id'): return utils.forbid('client id did not match') if code['uri'] != post.get('redirect_uri'): return utils.forbid('redirect uri did not match') @@ -116,9 +116,6 @@ class IndieView(TemplateView): @login_required @require_POST def approve(request): - post = request.POST - params = tokens.gen_auth_code(post) - - uri = post['redirect_uri'] + uri, params = tokens.gen_auth_code(request) sep = '&' if '?' in uri else '?' return redirect(uri + sep + urlencode(params))