auth
auth/http.go
Require full URLs for Endpoints. The spec says that we SHOULD require full URLs for redirection, but we _can_ offer the ability to set a URL as a "partial URL" if we really must. I see no particular reason to do this, so I've simplified the code by pulling that option out. This means that URLs (as long as they're normalized, which I've filed a bug in the codebase to do) can be checked using simple string comparison, which makes the likelihood of bugs across clientStorage implementations a lot lower.
1.1 --- a/http.go Sun Oct 26 00:53:36 2014 -0400 1.2 +++ b/http.go Sun Oct 26 03:22:41 2014 -0400 1.3 @@ -46,21 +46,9 @@ 1.4 } 1.5 redirectURI := r.URL.Query().Get("redirect_uri") 1.6 var validURI bool 1.7 - if redirectURI != "" && numEndpoints > 1 { 1.8 - // if there's more than one registered endpoint, we need to match the 1.9 - // entire thing, character for character. So use strict checking. 1.10 - validURI, err = context.CheckEndpoint(clientID, redirectURI, true) 1.11 - if err != nil { 1.12 - w.WriteHeader(http.StatusInternalServerError) 1.13 - context.Render(w, getGrantTemplateName, map[string]interface{}{ 1.14 - "internal_error": err, 1.15 - }) 1.16 - return 1.17 - } 1.18 - } else if redirectURI != "" && numEndpoints == 1 { 1.19 - // if there's exactly one endpoint, we can match only the prefix of it, 1.20 - // so don't use strict checking. 1.21 - validURI, err = context.CheckEndpoint(clientID, redirectURI, false) 1.22 + if redirectURI != "" { 1.23 + // BUG(paddy): We really should normalize URIs before trying to compare them. 1.24 + validURI, err = context.CheckEndpoint(clientID, redirectURI) 1.25 if err != nil { 1.26 w.WriteHeader(http.StatusInternalServerError) 1.27 context.Render(w, getGrantTemplateName, map[string]interface{}{