Make relative redirect URIs redirect to the right place, by urljoining them with the client ID

This commit is contained in:
Danielle McLean 2017-11-03 11:28:26 +11:00
parent 1c09be1b1c
commit 92cd38cbb0
Signed by untrusted user: 00dani
GPG key ID: 5A5D2D1AFF12EEC5
2 changed files with 6 additions and 2 deletions

View file

@ -34,7 +34,7 @@
{% endfor %} {% endfor %}
</div> </div>
{% endif %} {% endif %}
<p class="card-text"><small>you will be redirected to <a class="code" href="{{ params.redirect_uri }}">{{ params.redirect_uri }}</a> after authorising this app</small></p> <p class="card-text"><small>you will be redirected to <a class="code" href="{{ redirect_uri }}">{{ redirect_uri }}</a> after authorising this app</small></p>
</div> </div>
<div class="card-footer"> <div class="card-footer">
@ -47,7 +47,7 @@
{% csrf_token %} {% csrf_token %}
<input name="me" type="hidden" value="{{ me }}" /> <input name="me" type="hidden" value="{{ me }}" />
<input name="client_id" type="hidden" value="{{ params.client_id }}" /> <input name="client_id" type="hidden" value="{{ params.client_id }}" />
<input name="redirect_uri" type="hidden" value="{{ params.redirect_uri }}" /> <input name="redirect_uri" type="hidden" value="{{ redirect_uri }}" />
{% if params.state %}<input name="state" type="hidden" value="{{ params.state }}" />{% endif %} {% if params.state %}<input name="state" type="hidden" value="{{ params.state }}" />{% endif %}
<input name="response_type" type="hidden" value="{{ params.response_type }}" /> <input name="response_type" type="hidden" value="{{ params.response_type }}" />
</form> </form>

View file

@ -51,6 +51,8 @@ class IndieView(TemplateView):
'you are logged in but not as {0}'.format(me) 'you are logged in but not as {0}'.format(me)
) )
redirect_uri = urljoin(params['client_id'], params['redirect_uri'])
type = params['response_type'] type = params['response_type']
if type not in ('id', 'code'): if type not in ('id', 'code'):
return utils.bad_req( return utils.bad_req(
@ -71,6 +73,7 @@ class IndieView(TemplateView):
.get('rels', ())) .get('rels', ()))
verified = 'redirect_uri' in rels verified = 'redirect_uri' in rels
try: try:
app = client.to_dict(filter_by_type='h-x-app')[0]['properties'] app = client.to_dict(filter_by_type='h-x-app')[0]['properties']
except IndexError: except IndexError:
@ -79,6 +82,7 @@ class IndieView(TemplateView):
return { return {
'app': app, 'app': app,
'me': me, 'me': me,
'redirect_uri': redirect_uri,
'verified': verified, 'verified': verified,
'params': params, 'params': params,
'scopes': scopes, 'scopes': scopes,