Commit 72758be

mo <mo@mokhan.ca>
2018-10-12 00:55:59
validate the redirect_uri
main
1 parent 9e3ccd8
Changed files (2)
app
controllers
oauths_controller.rb
spec
requests
oauth_spec.rb
app/controllers/oauths_controller.rb
@@ -6,12 +6,20 @@ class OauthsController < ApplicationController
   def show
     @client = Client.find_by!(uuid: params[:client_id])
 
+    if @client.redirect_uri != params[:redirect_uri]
+      return redirect_to @client.redirect_uri_path(
+        error: 'invalid_request',
+        state: params[:state]
+      )
+    end
+
     if !VALID_RESPONSE_TYPES.include?(params[:response_type])
-      redirect_to @client.redirect_uri_path(
+      return redirect_to @client.redirect_uri_path(
         error: 'unsupported_response_type',
         state: params[:state]
       )
     end
+
     session[:oauth] = {
       client_id: params[:client_id],
       response_type: params[:response_type],
spec/requests/oauth_spec.rb
@@ -29,6 +29,12 @@ RSpec.describe '/oauth' do
 
           specify { expect(response).to redirect_to("#{client.redirect_uri}#error=unsupported_response_type") }
         end
+
+        context "when the redirect uri does not match" do
+          before { get "/oauth", params: { client_id: client.to_param, response_type: 'invalid', redirect_uri: SecureRandom.uuid } }
+
+          specify { expect(response).to redirect_to("#{client.redirect_uri}#error=invalid_request") }
+        end
       end
     end
 
@@ -37,7 +43,7 @@ RSpec.describe '/oauth' do
 
       context "when the client id is known" do
         let(:client) { create(:client) }
-        before { get "/oauth/authorize", params: { client_id: client.to_param, response_type: 'code', state: state } }
+        before { get "/oauth/authorize", params: { client_id: client.to_param, response_type: 'code', state: state, redirect_uri: client.redirect_uri } }
 
         specify { expect(response).to have_http_status(:ok) }
         specify { expect(response.body).to include(CGI.escapeHTML(client.name)) }
@@ -51,7 +57,7 @@ RSpec.describe '/oauth' do
 
         context "when the client requested an authorization code" do
           before :each do
-            get "/oauth", params: { client_id: client.to_param, response_type: 'code', state: state }
+            get "/oauth", params: { client_id: client.to_param, response_type: 'code', state: state, redirect_uri: client.redirect_uri }
             post "/oauth"
           end
 
@@ -63,7 +69,7 @@ RSpec.describe '/oauth' do
           let(:scope) { "admin" }
 
           before :each do
-            get "/oauth", params: { client_id: client.to_param, response_type: 'token', state: state }
+            get "/oauth", params: { client_id: client.to_param, response_type: 'token', state: state, redirect_uri: client.redirect_uri }
             post "/oauth"
           end