Project

General

Profile

0001-idp_oidc-do-not-delete-code-on-resolution-by-token-e.patch

Benjamin Dauvergne, 12 July 2022 12:58 PM

Download (3.16 KB)

View differences:

Subject: [PATCH] idp_oidc: do not delete code on resolution by token endpoint
 (#66893)

 src/authentic2_idp_oidc/views.py |  1 -
 tests/idp_oidc/test_misc.py      | 49 ++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
src/authentic2_idp_oidc/views.py
733 733
        raise InvalidRequest(_('Parameter "code" is invalid'), client=client)
734 734
    if not oidc_code.is_valid():
735 735
        raise InvalidRequest(_('Parameter "code" has expired or user is disconnected'), client=client)
736
    models.OIDCCode.objects.filter(uuid=code).delete()
737 736
    redirect_uri = request.POST.get('redirect_uri')
738 737
    if oidc_code.redirect_uri != redirect_uri:
739 738
        raise InvalidRequest(_('Parameter "redirect_uri" does not match the code.'), client=client)
tests/idp_oidc/test_misc.py
1801 1801
    response = app.get(authorize_url)
1802 1802

  
1803 1803
    assert response.location.startswith('/accounts/edit/required/?')
1804

  
1805

  
1806
def test_token_endpoint_code_timeout(oidc_client, oidc_settings, simple_user, app, caplog, rf, freezer):
1807
    '''Verify codes are valid during 30 seconds'''
1808
    utils.login(app, simple_user)
1809

  
1810
    oidc_client.authorization_mode = oidc_client.AUTHORIZATION_MODE_NONE
1811
    oidc_client.save()
1812

  
1813
    redirect_uri = oidc_client.redirect_uris.split()[0]
1814
    params = {
1815
        'client_id': oidc_client.client_id,
1816
        'scope': 'openid profile email',
1817
        'redirect_uri': redirect_uri,
1818
        'state': 'xxx',
1819
        'nonce': 'yyy',
1820
        'login_hint': 'backoffice john@example.com',
1821
        'response_type': 'code',
1822
    }
1823
    authorize_url = make_url('oidc-authorize', params=params)
1824
    response = app.get(authorize_url)
1825
    location = urllib.parse.urlparse(response['Location'])
1826
    query = urllib.parse.parse_qs(location.query)
1827
    code = query['code'][0]
1828

  
1829
    def resolve_code(**kwargs):
1830
        token_url = make_url('oidc-token')
1831
        return app.post(
1832
            token_url,
1833
            params={
1834
                'grant_type': 'authorization_code',
1835
                'code': code,
1836
                'redirect_uri': oidc_client.redirect_uris.split()[0],
1837
            },
1838
            headers=client_authentication_headers(oidc_client),
1839
            **kwargs,
1840
        )
1841

  
1842
    response = resolve_code()
1843
    assert 'access_token' in response.json
1844

  
1845
    freezer.move_to(datetime.timedelta(seconds=29))
1846
    response = resolve_code()
1847
    assert 'access_token' in response.json
1848

  
1849
    # code should expire after 30 seconds
1850
    freezer.move_to(datetime.timedelta(seconds=1.1))
1851
    response = resolve_code(status=400)
1852
    assert 'access_token' not in response.json
1804
-