Do not pass code_verifier in request payload if None

fief-dev · Oct 13, 2024 · 4f6ced5 · 4f6ced5
1 parent 969ec00
commit 4f6ced5
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/fief_client/client.py b/fief_client/client.py
@@ -395,8 +395,9 @@ def _get_auth_exchange_token_request(
             "grant_type": "authorization_code",
             "code": code,
             "redirect_uri": redirect_uri,
-            "code_verifier": code_verifier,
         }
+        if code_verifier is not None:
+            data["code_verifier"] = code_verifier
         if self.client_secret is not None:
             data["client_secret"] = self.client_secret
         return client.build_request("POST", endpoint, data=data)

diff --git a/tests/test_client.py b/tests/test_client.py
@@ -397,6 +397,36 @@ def test_valid_response_tenant(
             assert isinstance(userinfo, dict)
             assert userinfo["sub"] == user_id
 
+    def test_no_code_verifier(
+        self,
+        fief_client: Fief,
+        mock_api_requests: respx.MockRouter,
+        access_token: str,
+        signed_id_token: str,
+        user_id: str,
+    ):
+        token_route = mock_api_requests.post("/token")
+        token_route.return_value = Response(
+            200,
+            json={
+                "access_token": access_token,
+                "id_token": signed_id_token,
+                "token_type": "bearer",
+            },
+        )
+
+        token_response, userinfo = fief_client.auth_callback(
+            "CODE", "https://www.bretagne.duchy/callback"
+        )
+
+        token_route_call = token_route.calls.last
+        assert token_route_call is not None
+
+        request_data = token_route_call.request.content.decode("utf-8")
+        assert "client_id" in request_data
+        assert "client_secret" in request_data
+        assert "code_verifier" not in request_data
+
 
 class TestAuthRefreshToken:
     def test_error_response(