Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve issue with HTTP status codes /ui/login and type checks #71

Merged
merged 2 commits into from
Apr 4, 2024
Merged

Resolve issue with HTTP status codes /ui/login and type checks #71

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5436427
change application_id type to be UUID
Lopkop Apr 4, 2024
cbbbfbf
return 404 status code if application_id is invalid
Lopkop Apr 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions abandonauth/routers/ui.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
from typing import Annotated
from uuid import UUID

import httpx
from fastapi import APIRouter, Form, Request, HTTPException
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi.templating import Jinja2Templates
from prisma.models import DeveloperApplication
from starlette.status import HTTP_403_FORBIDDEN, HTTP_400_BAD_REQUEST, HTTP_303_SEE_OTHER
from starlette.status import HTTP_403_FORBIDDEN, HTTP_400_BAD_REQUEST, HTTP_303_SEE_OTHER, HTTP_404_NOT_FOUND

from abandonauth import templates # type: ignore

Expand Down Expand Up @@ -319,7 +320,7 @@ async def edit_dev_application_callback_uris(


@router.get("/login", response_class=HTMLResponse, include_in_schema=False)
async def oauth_login(request: Request, application_id: str | None = None, callback_uri: str | None = None):
async def oauth_login(request: Request, application_id: UUID | None = None, callback_uri: str | None = None):
"""Login for initiating the OAuth flow

This page is used to start the OAuth flow for applications using AbandonAuth.
Expand All @@ -335,13 +336,18 @@ async def oauth_login(request: Request, application_id: str | None = None, callb
)
else:
dev_app = await DeveloperApplication.prisma().find_unique(
where={"id": application_id},
where={"id": str(application_id)},
include={"callback_uris": True}
)

# This check is a convenience in order to provide accurate and immediate feedback to users
# The security check for application IDs and callback URIs must be done later in the auth flow
if not dev_app or not dev_app.callback_uris or callback_uri not in [x.uri for x in dev_app.callback_uris]:
if not dev_app:
raise HTTPException(
status_code=HTTP_404_NOT_FOUND,
detail="Invalid application ID",
)
if not dev_app.callback_uris or callback_uri not in [x.uri for x in dev_app.callback_uris]:
raise HTTPException(
status_code=HTTP_403_FORBIDDEN,
detail="Invalid application ID or callback_uri",
Expand Down
Loading