def test_oauth2_step2(self): token_uri = 'http://example.com/oauth2/token' client_id = '1234' client_secret = 'secret' redirect_url = 'http://localhost/oauth2/callback' scope = 'scope1 scope2' request = DummyRequest() response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '400 Bad Request') self.assertEqual(response.message, 'Missing required code') request.params = {'code': 'abcdef'} response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '400 Bad Request') self.assertEqual(response.message, 'Missing required state') request.params['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '401 Unauthorized') self.assertEqual( response.message, 'Missing internal state. You may be a victim of CSRF') request.session = {'state': 'other-string'} response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '401 Unauthorized') self.assertEqual( response.message, 'State parameter does not match internal state. You may be a victim of CSRF' ) with patch('requests.post') as fake: fake.return_value.status_code = 401 fake.return_value.text = 'Unauthorized request' request.session['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '401 Unauthorized') self.assertEqual(response.message, 'Unauthorized request') with patch('requests.post') as fake: fake.return_value.status_code = 200 fake.return_value.json = lambda: {'access_token': 'qwerty'} request.session['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response, 'qwerty') with patch('requests.post') as fake: fake.return_value.status_code = 200 fake.return_value.json = lambda: None fake.return_value.text = 'access_token=qwerty' request.session['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response, 'qwerty')
def test_oauth2_step2(self): token_uri = 'http://example.com/oauth2/token' client_id = '1234' client_secret = 'secret' redirect_url = 'http://localhost/oauth2/callback' scope = 'scope1 scope2' request = DummyRequest() response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '400 Bad Request') self.assertEqual(response.message, 'Missing required code') request.params = {'code': 'abcdef'} response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '400 Bad Request') self.assertEqual(response.message, 'Missing required state') request.params['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '401 Unauthorized') self.assertEqual(response.message, 'Missing internal state. You may be a victim of CSRF') request.session = {'state': 'other-string'} response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '401 Unauthorized') self.assertEqual(response.message, 'State parameter does not match internal state. You may be a victim of CSRF') with patch('requests.post') as fake: fake.return_value.status_code = 401 fake.return_value.text = 'Unauthorized request' request.session['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response.status, '401 Unauthorized') self.assertEqual(response.message, 'Unauthorized request') with patch('requests.post') as fake: fake.return_value.status_code = 200 fake.return_value.json = lambda: { 'access_token': 'qwerty' } request.session['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response, 'qwerty') with patch('requests.post') as fake: fake.return_value.status_code = 200 fake.return_value.json = lambda: None fake.return_value.text = 'access_token=qwerty' request.session['state'] = 'random-string' response = oauth2_step2(request, token_uri, client_id, client_secret, redirect_url, scope) self.assertEqual(response, 'qwerty')
def facebook_callback(request): settings = request.registry.settings access_token = oauth2_step2( request=request, token_uri=settings['facebook_access_token_url'], client_id=settings['facebook_app_id'], client_secret=settings['facebook_app_secret'], redirect_url=request.route_url('facebook_callback'), scope=_get_scope(), ) info = get_user_info(settings['facebook_basic_information_url'], access_token) user_id = info['id'] info['screen_name'] = info['name'] return register_or_update(request, 'facebook', user_id, info, request.route_path('home'))
def google_callback(request): settings = request.registry.settings access_token = oauth2_step2( request=request, token_uri=settings['google_token_uri'], client_id=settings['google_client_id'], client_secret=settings['google_client_secret'], redirect_url=request.route_url('google_callback'), scope=_get_scope(), ) info = get_user_info(settings['google_user_info_uri'], access_token) user_id = info['id'] new_info = { 'screen_name': info.get('name', ''), 'first_name': info.get('given_name', ''), 'last_name': info.get('family_name', ''), 'email': info.get('email', ''), } return register_or_update(request, 'google', user_id, new_info, request.route_path('home'))