def test_oauth2_step2(self):
token_uri = 'http://example.com/oauth2/token'
client_id = '1234'
client_secret = 'secret'
redirect_url = 'http://localhost/oauth2/callback'
scope = 'scope1 scope2'
request = DummyRequest()
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '400 Bad Request')
self.assertEqual(response.message, 'Missing required code')
request.params = {'code': 'abcdef'}
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '400 Bad Request')
self.assertEqual(response.message, 'Missing required state')
request.params['state'] = 'random-string'
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '401 Unauthorized')
self.assertEqual(
response.message,
'Missing internal state. You may be a victim of CSRF')
request.session = {'state': 'other-string'}
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '401 Unauthorized')
self.assertEqual(
response.message,
'State parameter does not match internal state. You may be a victim of CSRF'
)
with patch('requests.post') as fake:
fake.return_value.status_code = 401
fake.return_value.text = 'Unauthorized request'
request.session['state'] = 'random-string'
response = oauth2_step2(request, token_uri, client_id,
client_secret, redirect_url, scope)
self.assertEqual(response.status, '401 Unauthorized')
self.assertEqual(response.message, 'Unauthorized request')
with patch('requests.post') as fake:
fake.return_value.status_code = 200
fake.return_value.json = lambda: {'access_token': 'qwerty'}
request.session['state'] = 'random-string'
response = oauth2_step2(request, token_uri, client_id,
client_secret, redirect_url, scope)
self.assertEqual(response, 'qwerty')
with patch('requests.post') as fake:
fake.return_value.status_code = 200
fake.return_value.json = lambda: None
fake.return_value.text = 'access_token=qwerty'
request.session['state'] = 'random-string'
response = oauth2_step2(request, token_uri, client_id,
client_secret, redirect_url, scope)
self.assertEqual(response, 'qwerty')
def test_oauth2_step2(self):
token_uri = 'http://example.com/oauth2/token'
client_id = '1234'
client_secret = 'secret'
redirect_url = 'http://localhost/oauth2/callback'
scope = 'scope1 scope2'
request = DummyRequest()
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '400 Bad Request')
self.assertEqual(response.message, 'Missing required code')
request.params = {'code': 'abcdef'}
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '400 Bad Request')
self.assertEqual(response.message, 'Missing required state')
request.params['state'] = 'random-string'
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '401 Unauthorized')
self.assertEqual(response.message, 'Missing internal state. You may be a victim of CSRF')
request.session = {'state': 'other-string'}
response = oauth2_step2(request, token_uri, client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '401 Unauthorized')
self.assertEqual(response.message, 'State parameter does not match internal state. You may be a victim of CSRF')
with patch('requests.post') as fake:
fake.return_value.status_code = 401
fake.return_value.text = 'Unauthorized request'
request.session['state'] = 'random-string'
response = oauth2_step2(request, token_uri,
client_id, client_secret,
redirect_url, scope)
self.assertEqual(response.status, '401 Unauthorized')
self.assertEqual(response.message, 'Unauthorized request')
with patch('requests.post') as fake:
fake.return_value.status_code = 200
fake.return_value.json = lambda: {
'access_token': 'qwerty'
}
request.session['state'] = 'random-string'
response = oauth2_step2(request, token_uri,
client_id, client_secret,
redirect_url, scope)
self.assertEqual(response, 'qwerty')
with patch('requests.post') as fake:
fake.return_value.status_code = 200
fake.return_value.json = lambda: None
fake.return_value.text = 'access_token=qwerty'
request.session['state'] = 'random-string'
response = oauth2_step2(request, token_uri,
client_id, client_secret,
redirect_url, scope)
self.assertEqual(response, 'qwerty')
def facebook_callback(request):
settings = request.registry.settings
access_token = oauth2_step2(
request=request,
token_uri=settings['facebook_access_token_url'],
client_id=settings['facebook_app_id'],
client_secret=settings['facebook_app_secret'],
redirect_url=request.route_url('facebook_callback'),
scope=_get_scope(),
)
info = get_user_info(settings['facebook_basic_information_url'],
access_token)
user_id = info['id']
info['screen_name'] = info['name']
return register_or_update(request, 'facebook', user_id, info,
request.route_path('home'))
def google_callback(request):
settings = request.registry.settings
access_token = oauth2_step2(
request=request,
token_uri=settings['google_token_uri'],
client_id=settings['google_client_id'],
client_secret=settings['google_client_secret'],
redirect_url=request.route_url('google_callback'),
scope=_get_scope(),
)
info = get_user_info(settings['google_user_info_uri'], access_token)
user_id = info['id']
new_info = {
'screen_name': info.get('name', ''),
'first_name': info.get('given_name', ''),
'last_name': info.get('family_name', ''),
'email': info.get('email', ''),
}
return register_or_update(request, 'google', user_id, new_info,
request.route_path('home'))
