auth
auth/authorize.go
Check session before rendering confirmation page. The confirmation page should not be rendered until the session is set. Check the request method, then check the session, then finally render the confirmation page, should we need to.
1.1 --- a/authorize.go Sat Aug 16 20:02:52 2014 -0400 1.2 +++ b/authorize.go Sat Aug 16 20:06:30 2014 -0400 1.3 @@ -138,11 +138,7 @@ 1.4 } 1.5 1.6 func (req AuthRequest) handleCodeRequest(w http.ResponseWriter, r *http.Request, ctx Context) { 1.7 - 1.8 - if r.Method == "GET" { 1.9 - ctx.RenderConfirmation(w, r, req) 1.10 - return 1.11 - } else if r.Method != "POST" { 1.12 + if r.Method != "GET" && r.Method != "POST" { 1.13 ctx.RenderError(w, InvalidMethodError) 1.14 return 1.15 } 1.16 @@ -155,6 +151,11 @@ 1.17 return 1.18 } 1.19 1.20 + if r.Method == "GET" { 1.21 + ctx.RenderConfirmation(w, r, req) 1.22 + return 1.23 + } 1.24 + 1.25 if r.FormValue("approved") != "true" { 1.26 redir, err := req.GetErrorRedirect(ErrorAccessDenied, "Request was not authorized.", ctx.Config.DocumentationDomain) 1.27 if err != nil { 1.28 @@ -191,11 +192,7 @@ 1.29 } 1.30 1.31 func (req AuthRequest) handleTokenRequest(w http.ResponseWriter, r *http.Request, ctx Context) { 1.32 - 1.33 - if r.Method == "GET" { 1.34 - ctx.RenderConfirmation(w, r, req) 1.35 - return 1.36 - } else if r.Method != "POST" { 1.37 + if r.Method != "GET" && r.Method != "POST" { 1.38 ctx.RenderError(w, InvalidMethodError) 1.39 return 1.40 } 1.41 @@ -208,6 +205,11 @@ 1.42 return 1.43 } 1.44 1.45 + if r.Method == "GET" { 1.46 + ctx.RenderConfirmation(w, r, req) 1.47 + return 1.48 + } 1.49 + 1.50 if r.FormValue("approved") != "true" { 1.51 redir, err := req.GetErrorRedirect(ErrorAccessDenied, "Request was not authorized.", ctx.Config.DocumentationDomain) 1.52 if err != nil {