Browse Source

Loosen the checks on IndieAuth parameters so that generic OAuth 2.0 clients like Paw.app can be used

Danielle McLean 7 months ago
parent
commit
e4aa5c6e6e
Signed by: Danielle McLean <dani@00dani.me> GPG Key ID: 8EB789DDF3ABD240
3 changed files with 5 additions and 6 deletions
  1. 3
    4
      lemonauth/views/indie.py
  2. 2
    2
      lemonauth/views/token.py
  3. BIN
      lemoncurry.paw

+ 3
- 4
lemonauth/views/indie.py View File

@@ -29,7 +29,7 @@ def canonical(url):
29 29
 @method_decorator(csrf_exempt, name='dispatch')
30 30
 class IndieView(TemplateView):
31 31
     template_name = 'lemonauth/indie.html'
32
-    required_params = ('me', 'client_id', 'redirect_uri')
32
+    required_params = ('client_id', 'redirect_uri')
33 33
 
34 34
     @method_decorator(login_required)
35 35
     @method_decorator(render_to(template_name))
@@ -43,9 +43,8 @@ class IndieView(TemplateView):
43 43
                     'parameter {0} is required'.format(param)
44 44
                 )
45 45
 
46
-        me = canonical(params['me'])
47
-        user = urljoin(utils.origin(request), request.user.url)
48
-        if user != me:
46
+        me = request.user.full_url
47
+        if 'me' in params and me != canonical(params['me']):
49 48
             return utils.forbid(
50 49
                 'you are logged in but not as {0}'.format(me)
51 50
             )

+ 2
- 2
lemonauth/views/token.py View File

@@ -34,12 +34,12 @@ class TokenView(View):
34 34
             return utils.bad_req(
35 35
                 'this endpoint only supports response_type=code'
36 36
             )
37
-        if code.client_id != post.get('client_id'):
37
+        if 'client_id' in post and code.client_id != post['client_id']:
38 38
             return utils.forbid('client id did not match')
39 39
         if code.redirect_uri != post.get('redirect_uri'):
40 40
             return utils.forbid('redirect uri did not match')
41 41
 
42
-        if code.me != post.get('me'):
42
+        if 'me' in post and code.me != post['me']:
43 43
             return utils.forbid('me did not match')
44 44
 
45 45
         return utils.choose_type(req, {

BIN
lemoncurry.paw View File


Loading…
Cancel
Save