providers/oauth2: fix redirect_uri not being checked correctly if multiple redirect_uris are configured

2020-08-20 16:41:00 +02:00
parent 86597df159
commit 0eb94df1f7
4 changed files with 4 additions and 26 deletions
--- a/passbook/providers/oauth2/views/authorize.py
+++ b/passbook/providers/oauth2/views/authorize.py
@ -143,8 +143,8 @@ class OAuthAuthorizationParams:
        if is_open_id and not self.redirect_uri:
            LOGGER.warning("Missing redirect uri.")
            raise RedirectUriError()
-        if self.redirect_uri not in self.provider.redirect_uris:
-            LOGGER.warning("Invalid redirect uri", redirect_uri=self.redirect_uri)
+        if self.redirect_uri not in self.provider.redirect_uris.split():
+            LOGGER.warning("Invalid redirect uri", redirect_uri=self.redirect_uri, excepted=self.provider.redirect_uris.split())
            raise RedirectUriError()

        if not is_open_id and (
--- a/passbook/providers/oauth2/views/token.py
+++ b/passbook/providers/oauth2/views/token.py
@ -109,8 +109,8 @@ class TokenParams:
            LOGGER.warning("Missing authorization code")
            raise TokenError("invalid_grant")

-        if self.redirect_uri not in self.provider.redirect_uris:
-            LOGGER.warning("Invalid redirect uri", uri=self.redirect_uri)
+        if self.redirect_uri not in self.provider.redirect_uris.split():
+            LOGGER.warning("Invalid redirect uri", uri=self.redirect_uri, expected=self.provider.redirect_uris.split())
            raise TokenError("invalid_client")

        try: