Sfoglia il codice sorgente

Loosen the checks on IndieAuth parameters so that generic OAuth 2.0 clients like Paw.app can be used

Danielle McLean 10 mesi fa
parent
commit
e4aa5c6e6e
Firmato da: Danielle McLean <dani@00dani.me> ID Chiave GPG: 8EB789DDF3ABD240
3 ha cambiato i file con 5 aggiunte e 6 eliminazioni
  1. 3
    4
      lemonauth/views/indie.py
  2. 2
    2
      lemonauth/views/token.py
  3. BIN
      lemoncurry.paw

+ 3
- 4
lemonauth/views/indie.py Vedi File

@@ -29,7 +29,7 @@ def canonical(url):
29 29
 @method_decorator(csrf_exempt, name='dispatch')
30 30
 class IndieView(TemplateView):
31 31
     template_name = 'lemonauth/indie.html'
32
-    required_params = ('me', 'client_id', 'redirect_uri')
32
+    required_params = ('client_id', 'redirect_uri')
33 33
 
34 34
     @method_decorator(login_required)
35 35
     @method_decorator(render_to(template_name))
@@ -43,9 +43,8 @@ class IndieView(TemplateView):
43 43
                     'parameter {0} is required'.format(param)
44 44
                 )
45 45
 
46
-        me = canonical(params['me'])
47
-        user = urljoin(utils.origin(request), request.user.url)
48
-        if user != me:
46
+        me = request.user.full_url
47
+        if 'me' in params and me != canonical(params['me']):
49 48
             return utils.forbid(
50 49
                 'you are logged in but not as {0}'.format(me)
51 50
             )

+ 2
- 2
lemonauth/views/token.py Vedi File

@@ -34,12 +34,12 @@ class TokenView(View):
34 34
             return utils.bad_req(
35 35
                 'this endpoint only supports response_type=code'
36 36
             )
37
-        if code.client_id != post.get('client_id'):
37
+        if 'client_id' in post and code.client_id != post['client_id']:
38 38
             return utils.forbid('client id did not match')
39 39
         if code.redirect_uri != post.get('redirect_uri'):
40 40
             return utils.forbid('redirect uri did not match')
41 41
 
42
-        if code.me != post.get('me'):
42
+        if 'me' in post and code.me != post['me']:
43 43
             return utils.forbid('me did not match')
44 44
 
45 45
         return utils.choose_type(req, {

BIN
lemoncurry.paw Vedi File


Loading…
Annulla
Salva