Loosen the checks on IndieAuth parameters so that generic OAuth 2.0 clients like Paw.app can be used
This commit is contained in:
parent
fa66fbbf1e
commit
e4aa5c6e6e
3 changed files with 5 additions and 6 deletions
|
@ -29,7 +29,7 @@ def canonical(url):
|
||||||
@method_decorator(csrf_exempt, name='dispatch')
|
@method_decorator(csrf_exempt, name='dispatch')
|
||||||
class IndieView(TemplateView):
|
class IndieView(TemplateView):
|
||||||
template_name = 'lemonauth/indie.html'
|
template_name = 'lemonauth/indie.html'
|
||||||
required_params = ('me', 'client_id', 'redirect_uri')
|
required_params = ('client_id', 'redirect_uri')
|
||||||
|
|
||||||
@method_decorator(login_required)
|
@method_decorator(login_required)
|
||||||
@method_decorator(render_to(template_name))
|
@method_decorator(render_to(template_name))
|
||||||
|
@ -43,9 +43,8 @@ class IndieView(TemplateView):
|
||||||
'parameter {0} is required'.format(param)
|
'parameter {0} is required'.format(param)
|
||||||
)
|
)
|
||||||
|
|
||||||
me = canonical(params['me'])
|
me = request.user.full_url
|
||||||
user = urljoin(utils.origin(request), request.user.url)
|
if 'me' in params and me != canonical(params['me']):
|
||||||
if user != me:
|
|
||||||
return utils.forbid(
|
return utils.forbid(
|
||||||
'you are logged in but not as {0}'.format(me)
|
'you are logged in but not as {0}'.format(me)
|
||||||
)
|
)
|
||||||
|
|
|
@ -34,12 +34,12 @@ class TokenView(View):
|
||||||
return utils.bad_req(
|
return utils.bad_req(
|
||||||
'this endpoint only supports response_type=code'
|
'this endpoint only supports response_type=code'
|
||||||
)
|
)
|
||||||
if code.client_id != post.get('client_id'):
|
if 'client_id' in post and code.client_id != post['client_id']:
|
||||||
return utils.forbid('client id did not match')
|
return utils.forbid('client id did not match')
|
||||||
if code.redirect_uri != post.get('redirect_uri'):
|
if code.redirect_uri != post.get('redirect_uri'):
|
||||||
return utils.forbid('redirect uri did not match')
|
return utils.forbid('redirect uri did not match')
|
||||||
|
|
||||||
if code.me != post.get('me'):
|
if 'me' in post and code.me != post['me']:
|
||||||
return utils.forbid('me did not match')
|
return utils.forbid('me did not match')
|
||||||
|
|
||||||
return utils.choose_type(req, {
|
return utils.choose_type(req, {
|
||||||
|
|
BIN
lemoncurry.paw
BIN
lemoncurry.paw
Binary file not shown.
Loading…
Reference in a new issue