def login_callback():
""" Called as a callback after login, validates the received code. """
for session_param in ('login.endpoint', 'login.state'):
if session_param not in session:
error = 'Missing session key: {}'.format(session_param)
raise exceptions.InvalidParameterException(error)
# DummyAuth provided an state paramater. Validate it's correct.
if int(request.args['state']) != session['login.state']:
error = 'The given CSRF state mismatches the sent CSRF state.'
raise exceptions.InvalidAuthorizationResponseException(error)
# Build a validator using the required parameters.
validator_params = {
'authorization_endpoint': session['login.endpoint'],
'code': request.args['code'],
'client_id': url_for('login', _external=True),
'redirect_uri': url_for('callback', _external=True)
}
validator = AuthorizationCodeValidator(**validator_params)
# Check the authenticity of the code.
if validator.valid:
# Clear session data to inhabilitate repetition attacks.
session['login.endpoint'] = session['login.state'] = None
session['login.profile'] = validator.profile_url
return redirect(url_for('success')), 302
else:
session['login.error'] = 'validation_error'
session['login.message'] = validator.error
return redirect(url_for('failure')), 302
def test_spider_sends_appropiate_request(self):
httpretty.register_uri(
httpretty.POST,
'http://auth.example.com/login',
adding_headers={'content-type': 'application/json'},
body='{"me": "http://johndoe.example.com/"}')
validator_params = {
'authorization_endpoint': 'http://auth.example.com/login',
'code': 'deadbeef',
'client_id': 'http://client.example.com/',
'redirect_uri': 'http://client.example.com/callback',
}
AuthorizationCodeValidator(**validator_params).valid
httpretty.has_request().should.be(True)
def test_spider_handles_valid_requests(self):
httpretty.register_uri(
httpretty.POST,
'http://auth.example.com/login',
adding_headers={'content-type': 'application/json'},
body='{"me": "http://johndoe.example.com/"}')
validator_params = {
'authorization_endpoint': 'http://auth.example.com/login',
'code': 'deadbeef',
'client_id': 'http://client.example.com/',
'redirect_uri': 'http://client.example.com/callback',
}
validator = AuthorizationCodeValidator(**validator_params)
self.assertTrue(validator.valid)
def test_spider_handles_invalid_request_code(self):
httpretty.register_uri(
httpretty.POST,
'http://auth.example.com/login',
adding_headers={'content-type': 'application/json'},
body='{"error": "invalid_request"}',
status=400)
validator_params = {
'authorization_endpoint': 'http://auth.example.com/login',
'code': 'deadbeef',
'client_id': 'http://client.example.com/',
'redirect_uri': 'http://client.example.com/callback',
}
validator = AuthorizationCodeValidator(**validator_params)
validator.error.should.equal('invalid_request')