Esempio n. 1
0
    def test_oauth2_step2(self):
        token_uri = 'http://example.com/oauth2/token'
        client_id = '1234'
        client_secret = 'secret'
        redirect_url = 'http://localhost/oauth2/callback'
        scope = 'scope1 scope2'
        request = DummyRequest()
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '400 Bad Request')
        self.assertEqual(response.message, 'Missing required code')

        request.params = {'code': 'abcdef'}
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '400 Bad Request')
        self.assertEqual(response.message, 'Missing required state')

        request.params['state'] = 'random-string'
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '401 Unauthorized')
        self.assertEqual(
            response.message,
            'Missing internal state. You may be a victim of CSRF')

        request.session = {'state': 'other-string'}
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '401 Unauthorized')
        self.assertEqual(
            response.message,
            'State parameter does not match internal state. You may be a victim of CSRF'
        )

        with patch('requests.post') as fake:
            fake.return_value.status_code = 401
            fake.return_value.text = 'Unauthorized request'
            request.session['state'] = 'random-string'
            response = oauth2_step2(request, token_uri, client_id,
                                    client_secret, redirect_url, scope)
            self.assertEqual(response.status, '401 Unauthorized')
            self.assertEqual(response.message, 'Unauthorized request')

        with patch('requests.post') as fake:
            fake.return_value.status_code = 200
            fake.return_value.json = lambda: {'access_token': 'qwerty'}
            request.session['state'] = 'random-string'
            response = oauth2_step2(request, token_uri, client_id,
                                    client_secret, redirect_url, scope)
            self.assertEqual(response, 'qwerty')

        with patch('requests.post') as fake:
            fake.return_value.status_code = 200
            fake.return_value.json = lambda: None
            fake.return_value.text = 'access_token=qwerty'
            request.session['state'] = 'random-string'
            response = oauth2_step2(request, token_uri, client_id,
                                    client_secret, redirect_url, scope)
            self.assertEqual(response, 'qwerty')
    def test_oauth2_step2(self):
        token_uri = 'http://example.com/oauth2/token'
        client_id = '1234'
        client_secret = 'secret'
        redirect_url = 'http://localhost/oauth2/callback'
        scope = 'scope1 scope2'
        request = DummyRequest()
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '400 Bad Request')
        self.assertEqual(response.message, 'Missing required code')

        request.params = {'code': 'abcdef'}
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '400 Bad Request')
        self.assertEqual(response.message, 'Missing required state')

        request.params['state'] = 'random-string'
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '401 Unauthorized')
        self.assertEqual(response.message, 'Missing internal state. You may be a victim of CSRF')

        request.session = {'state': 'other-string'}
        response = oauth2_step2(request, token_uri, client_id, client_secret,
                                redirect_url, scope)
        self.assertEqual(response.status, '401 Unauthorized')
        self.assertEqual(response.message, 'State parameter does not match internal state. You may be a victim of CSRF')

        with patch('requests.post') as fake:
            fake.return_value.status_code = 401
            fake.return_value.text = 'Unauthorized request'
            request.session['state'] = 'random-string'
            response = oauth2_step2(request, token_uri,
                                    client_id, client_secret,
                                    redirect_url, scope)
            self.assertEqual(response.status, '401 Unauthorized')
            self.assertEqual(response.message, 'Unauthorized request')

        with patch('requests.post') as fake:
            fake.return_value.status_code = 200
            fake.return_value.json = lambda: {
                'access_token': 'qwerty'
                }
            request.session['state'] = 'random-string'
            response = oauth2_step2(request, token_uri,
                                    client_id, client_secret,
                                    redirect_url, scope)
            self.assertEqual(response, 'qwerty')

        with patch('requests.post') as fake:
            fake.return_value.status_code = 200
            fake.return_value.json = lambda: None
            fake.return_value.text = 'access_token=qwerty'
            request.session['state'] = 'random-string'
            response = oauth2_step2(request, token_uri,
                                    client_id, client_secret,
                                    redirect_url, scope)
            self.assertEqual(response, 'qwerty')
Esempio n. 3
0
def facebook_callback(request):
    settings = request.registry.settings
    access_token = oauth2_step2(
        request=request,
        token_uri=settings['facebook_access_token_url'],
        client_id=settings['facebook_app_id'],
        client_secret=settings['facebook_app_secret'],
        redirect_url=request.route_url('facebook_callback'),
        scope=_get_scope(),
        )

    info = get_user_info(settings['facebook_basic_information_url'],
                         access_token)
    user_id = info['id']
    info['screen_name'] = info['name']
    return register_or_update(request, 'facebook', user_id, info,
                              request.route_path('home'))
Esempio n. 4
0
def google_callback(request):
    settings = request.registry.settings
    access_token = oauth2_step2(
        request=request,
        token_uri=settings['google_token_uri'],
        client_id=settings['google_client_id'],
        client_secret=settings['google_client_secret'],
        redirect_url=request.route_url('google_callback'),
        scope=_get_scope(),
       )

    info = get_user_info(settings['google_user_info_uri'], access_token)
    user_id = info['id']
    new_info = {
        'screen_name': info.get('name', ''),
        'first_name': info.get('given_name', ''),
        'last_name': info.get('family_name', ''),
        'email': info.get('email', ''),
        }

    return register_or_update(request, 'google', user_id, new_info,
                              request.route_path('home'))