auth

Paddy 2014-11-02 Parent:dd75d24475c0 Child:f97ca45d5657

64:c29c7df35905 Browse Files

Parse the redirect URI early, add new failure modes to tests. When obtaining a grant code, parse the redirect_uri early as a URL, so we can fail without even hitting the database, if possible. Add a test to cover the scenario where the client doesn't specify an endpoint, and the client has no endpoints registered. Add a test to cover the scenario where the client has two endpoints registered, but doesn't specify an endpoint. Fix the test that tested for invalid URLs by actually using an invalid URL. Apparently, "not a URL" is a valid URL. Go figure.

http.go http_test.go 

     1.1 --- a/http.go	Sun Nov 02 21:15:46 2014 -0500
     1.2 +++ b/http.go	Sun Nov 02 22:28:49 2014 -0500
     1.3 @@ -32,6 +32,15 @@
     1.4  		})
     1.5  		return
     1.6  	}
     1.7 +	redirectURI := r.URL.Query().Get("redirect_uri")
     1.8 +	redirectURL, err := url.Parse(redirectURI)
     1.9 +	if err != nil {
    1.10 +		w.WriteHeader(http.StatusBadRequest)
    1.11 +		context.Render(w, getGrantTemplateName, map[string]interface{}{
    1.12 +			"error": template.HTML("The redirect_uri specified is not valid."),
    1.13 +		})
    1.14 +		return
    1.15 +	}
    1.16  	client, err := context.GetClient(clientID)
    1.17  	if err != nil {
    1.18  		if err == ErrClientNotFound {
    1.19 @@ -57,7 +66,6 @@
    1.20  		})
    1.21  		return
    1.22  	}
    1.23 -	redirectURI := r.URL.Query().Get("redirect_uri")
    1.24  	var validURI bool
    1.25  	if redirectURI != "" {
    1.26  		// BUG(paddy): We really should normalize URIs before trying to compare them.
    1.27 @@ -98,14 +106,6 @@
    1.28  	}
    1.29  	scope := r.URL.Query().Get("scope")
    1.30  	state := r.URL.Query().Get("state")
    1.31 -	redirectURL, err := url.Parse(redirectURI)
    1.32 -	if err != nil {
    1.33 -		w.WriteHeader(http.StatusBadRequest)
    1.34 -		context.Render(w, getGrantTemplateName, map[string]interface{}{
    1.35 -			"error": template.HTML("The redirect_uri specified is not valid."),
    1.36 -		})
    1.37 -		return
    1.38 -	}
    1.39  	if r.URL.Query().Get("response_type") != "code" {
    1.40  		redirectURL.Query().Add("error", "invalid_request")
    1.41  		redirectURL.Query().Add("state", state)

     2.1 --- a/http_test.go	Sun Nov 02 21:15:46 2014 -0500
     2.2 +++ b/http_test.go	Sun Nov 02 22:28:49 2014 -0500
     2.3 @@ -164,20 +164,10 @@
     2.4  	if err != nil {
     2.5  		t.Fatal("Can't parse URL:", err)
     2.6  	}
     2.7 -	endpoint := Endpoint{
     2.8 -		ID:       uuid.NewID(),
     2.9 -		ClientID: client.ID,
    2.10 -		URI:      *uri,
    2.11 -		Added:    time.Now(),
    2.12 -	}
    2.13  	err = testContext.SaveClient(client)
    2.14  	if err != nil {
    2.15  		t.Fatal("Can't store client:", err)
    2.16  	}
    2.17 -	err = testContext.AddEndpoint(client.ID, endpoint)
    2.18 -	if err != nil {
    2.19 -		t.Fatal("Can't store endpoint:", err)
    2.20 -	}
    2.21  	req, err := http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
    2.22  	if err != nil {
    2.23  		t.Fatal("Can't build request:", err)
    2.24 @@ -186,6 +176,25 @@
    2.25  	params := url.Values{}
    2.26  	params.Set("response_type", "code")
    2.27  	params.Set("client_id", client.ID.String())
    2.28 +	req.URL.RawQuery = params.Encode()
    2.29 +	GetGrantHandler(w, req, testContext)
    2.30 +	if w.Code != http.StatusBadRequest {
    2.31 +		t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
    2.32 +	}
    2.33 +	if w.Body.String() != "The redirect_uri specified is not valid." {
    2.34 +		t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
    2.35 +	}
    2.36 +	endpoint := Endpoint{
    2.37 +		ID:       uuid.NewID(),
    2.38 +		ClientID: client.ID,
    2.39 +		URI:      *uri,
    2.40 +		Added:    time.Now(),
    2.41 +	}
    2.42 +	err = testContext.AddEndpoint(client.ID, endpoint)
    2.43 +	if err != nil {
    2.44 +		t.Fatal("Can't store endpoint:", err)
    2.45 +	}
    2.46 +	w = httptest.NewRecorder()
    2.47  	params.Set("redirect_uri", "https://test.secondbit.org/wrong")
    2.48  	req.URL.RawQuery = params.Encode()
    2.49  	GetGrantHandler(w, req, testContext)
    2.50 @@ -195,12 +204,28 @@
    2.51  	if w.Body.String() != "The redirect_uri specified is not valid." {
    2.52  		t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
    2.53  	}
    2.54 -	req, err = http.NewRequest("GET", "https://test.auth.secondbit.org/oauth2/grant", nil)
    2.55 +	endpoint2 := Endpoint{
    2.56 +		ID:       uuid.NewID(),
    2.57 +		ClientID: client.ID,
    2.58 +		URI:      *uri,
    2.59 +		Added:    time.Now(),
    2.60 +	}
    2.61 +	err = testContext.AddEndpoint(client.ID, endpoint2)
    2.62  	if err != nil {
    2.63 -		t.Fatal("Can't build request:", err)
    2.64 +		t.Fatal("Can't store endpoint:", err)
    2.65  	}
    2.66  	w = httptest.NewRecorder()
    2.67 -	params.Set("redirect_uri", "not a URL")
    2.68 +	params.Set("redirect_uri", "")
    2.69 +	req.URL.RawQuery = params.Encode()
    2.70 +	GetGrantHandler(w, req, testContext)
    2.71 +	if w.Code != http.StatusBadRequest {
    2.72 +		t.Errorf("Expected status code to be %d, got %d", http.StatusBadRequest, w.Code)
    2.73 +	}
    2.74 +	if w.Body.String() != "The redirect_uri specified is not valid." {
    2.75 +		t.Errorf(`Expected output to be "%s", got "%s" instead.`, "The redirect_uri specified is not valid.", w.Body.String())
    2.76 +	}
    2.77 +	w = httptest.NewRecorder()
    2.78 +	params.Set("redirect_uri", "://not a URL")
    2.79  	req.URL.RawQuery = params.Encode()
    2.80  	GetGrantHandler(w, req, testContext)
    2.81  	if w.Code != http.StatusBadRequest {