def test_new_client_authorization_code_are_not_marked_as_used():
database.save_new_authorization_code(
'auth-code-1nmb21', 'client-id','my-state',
'http://example.com/return')
assert database.client_has_authorization_code('client-id', 'auth-code-1nmb21')
assert not database.is_client_authorization_code_used('client-id', 'auth-code-1nmb21')
def validate_user_credentials(handler):
'''
This plugin will be executed in the authorization request handler on POST
method.
Different from GET method, no code is executed in the default handler. That's
why we use ``client_id`` (stored on cookie by ``ask_user_credentials()`` above)
to query tokens from database (saved on GET handler).
'''
client_id = handler.get_secure_cookie('client_id')
code = handler.get_secure_cookie('code')
database = handler.application.database
credentials = (handler.get_argument('username',''),
handler.get_argument('password',''))
allow = (handler.get_argument('allow','off') == 'on')
if not database.client_has_authorization_code(client_id, code):
handler.write('<p>No authorization code created to this client_id</p>')
elif credentials == ('admin', 'admin'):
if allow:
handler.redirect_access_granted(client_id, code)
else:
handler.redirect_access_denied(client_id, code)
else:
handler.write('<p>Invalid username and/or password</p>'
'<p><em>hint: try "admin" and "admin"</em></p>'
'<p><a href="{0}">Try again</a></p>'.format(handler.request.uri))
def test_should_mark_client_authorization_code_as_used():
database.save_new_authorization_code(
'auth-code-1nmb21', 'client-id',
'http://example.com/return',
'http://example.com/return?code=auth-code-1nmb21')
database.mark_client_authorization_code_as_used('client-id', 'auth-code-1nmb21')
assert database.client_has_authorization_code('client-id', 'auth-code-1nmb21')
assert database.is_client_authorization_code_used('client-id', 'auth-code-1nmb21')
def test_should_save_and_retrieve_client_authorization_code():
assert not database.find_client('client-id')
database.save_new_authorization_code(
'auth-code-1nmb21', 'client-id','my-state',
'http://example.com/return')
assert database.find_client('client-id')
assert 1 == database.client_authorization_codes_count('client-id')
assert database.client_has_authorization_code('client-id', 'auth-code-1nmb21')
def validate_client_authorization(self):
client = database.find_client(self.client_id)
if not client:
self.raise_http_401({'error': 'invalid_client',
'error_description': 'Invalid client_id or code on Authorization header'})
if not database.client_has_authorization_code(self.client_id, self.code_from_header):
self.raise_http_401({'error': 'invalid_client',
'error_description': 'Invalid client_id or code on Authorization header'})
if not database.client_has_authorization_code(self.client_id, self.code):
self.raise_http_400({'error': 'invalid_grant',
'error_description': 'Invalid code for this client'})
if not database.client_has_redirect_uri_for_code(self.client_id, self.code, self.redirect_uri):
self.raise_http_400({'error': 'invalid_grant',
'error_description': 'redirect_uri does not match'})
if database.is_client_authorization_code_used(self.client_id, self.code):
self.raise_http_400({'error': 'invalid_grant',
'error_description': 'Authorization grant already used'})
