Browse Source
Loosen the checks on IndieAuth parameters so that generic OAuth 2.0 clients like Paw.app can be used
tags/v1.9.10
3 changed files with 5 additions and 6 deletions
+ 3
- 4
lemonauth/views/indie.py
View File
| @@ -29,7 +29,7 @@ def canonical(url): | |||
| @method_decorator(csrf_exempt, name='dispatch') | |||
| class IndieView(TemplateView): | |||
| template_name = 'lemonauth/indie.html' | |||
| required_params = ('me', 'client_id', 'redirect_uri') | |||
| required_params = ('client_id', 'redirect_uri') | |||
| @method_decorator(login_required) | |||
| @method_decorator(render_to(template_name)) | |||
| @@ -43,9 +43,8 @@ class IndieView(TemplateView): | |||
| 'parameter {0} is required'.format(param) | |||
| ) | |||
| me = canonical(params['me']) | |||
| user = urljoin(utils.origin(request), request.user.url) | |||
| if user != me: | |||
| me = request.user.full_url | |||
| if 'me' in params and me != canonical(params['me']): | |||
| return utils.forbid( | |||
| 'you are logged in but not as {0}'.format(me) | |||
| ) | |||
+ 2
- 2
lemonauth/views/token.py
View File
| @@ -34,12 +34,12 @@ class TokenView(View): | |||
| return utils.bad_req( | |||
| 'this endpoint only supports response_type=code' | |||
| ) | |||
| if code.client_id != post.get('client_id'): | |||
| if 'client_id' in post and code.client_id != post['client_id']: | |||
| return utils.forbid('client id did not match') | |||
| if code.redirect_uri != post.get('redirect_uri'): | |||
| return utils.forbid('redirect uri did not match') | |||
| if code.me != post.get('me'): | |||
| if 'me' in post and code.me != post['me']: | |||
| return utils.forbid('me did not match') | |||
| return utils.choose_type(req, { | |||
BIN
lemoncurry.paw
View File
Loading…