From c77092f38b72613254ac9d2aca5318bc17dccd5e Mon Sep 17 00:00:00 2001 From: Kanellaman Date: Tue, 21 May 2024 09:44:02 +0300 Subject: [PATCH 1/6] Add localhost to allowed loopback addresses for redirect URIs --- oauth2_provider/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py index 661bd7dfc..77def9ff7 100644 --- a/oauth2_provider/models.py +++ b/oauth2_provider/models.py @@ -778,7 +778,7 @@ def redirect_to_uri_allowed(uri, allowed_uris): allowed_uri_is_loopback = ( parsed_allowed_uri.scheme == "http" - and parsed_allowed_uri.hostname in ["127.0.0.1", "::1"] + and parsed_allowed_uri.hostname in ["127.0.0.1", "::1", "localhost"] and parsed_allowed_uri.port is None ) if ( From f083d9268fb7919da7612d0f2a2f2fdbbf74d9bc Mon Sep 17 00:00:00 2001 From: Kanellaman Date: Tue, 21 May 2024 09:59:10 +0300 Subject: [PATCH 2/6] Add tests --- tests/test_oauth2_backends.py | 16 +++++++++++++--- tests/test_validators.py | 2 ++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/tests/test_oauth2_backends.py b/tests/test_oauth2_backends.py index 21dd7a0c3..06f05fc93 100644 --- a/tests/test_oauth2_backends.py +++ b/tests/test_oauth2_backends.py @@ -205,9 +205,9 @@ def test_validate_authorization_request_unsafe_query(self): @pytest.mark.parametrize( "uri, expected_result", - # localhost is _not_ a loopback URI + [ - ("http://localhost:3456", False), + ("http://localhost:3456", True), # localhost is supported # only http scheme is supported for loopback URIs ("https://127.0.0.1:3456", False), ("http://127.0.0.1:3456", True), @@ -216,8 +216,18 @@ def test_validate_authorization_request_unsafe_query(self): ], ) def test_uri_loopback_redirect_check(uri, expected_result): - allowed_uris = ["http://127.0.0.1", "http://[::1]"] + allowed_uris = ["http://127.0.0.1", "http://[::1]", "http://localhost"] if expected_result: assert redirect_to_uri_allowed(uri, allowed_uris) else: assert not redirect_to_uri_allowed(uri, allowed_uris) + +class TestLocalhostRedirectURI(TestCase): + def test_localhost_redirect_uri(self): + allowed_uris = ["http://127.0.0.1", "http://[::1]", "http://localhost"] + + valid_localhost_uri = "http://localhost:8000/callback" + invalid_localhost_uri_https = "https://localhost:8000/callback" + + self.assertTrue(redirect_to_uri_allowed(valid_localhost_uri, allowed_uris)) + self.assertFalse(redirect_to_uri_allowed(invalid_localhost_uri_https, allowed_uris)) diff --git a/tests/test_validators.py b/tests/test_validators.py index b2bbb2970..bdb0719e9 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -17,6 +17,7 @@ def test_validate_good_uris(self): "https://1.1.1.1", "https://127.0.0.1", "https://255.255.255.255", + "http://localhost", ] for uri in good_uris: # Check ValidationError not thrown @@ -31,6 +32,7 @@ def test_validate_custom_uri_scheme(self): "https://example.com", "HTTPS://example.com", "git+ssh://example.com", + "http://localhost", ] for uri in good_uris: # Check ValidationError not thrown From dfb29c66ab4ec0c18a0c6b95f208e00e0336cc98 Mon Sep 17 00:00:00 2001 From: Kanellaman Date: Tue, 21 May 2024 10:11:45 +0300 Subject: [PATCH 3/6] Fixed an issue in tests --- tests/test_validators.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_validators.py b/tests/test_validators.py index bdb0719e9..4c016b1b8 100644 --- a/tests/test_validators.py +++ b/tests/test_validators.py @@ -8,7 +8,7 @@ @pytest.mark.usefixtures("oauth2_settings") class TestValidators(TestCase): def test_validate_good_uris(self): - validator = RedirectURIValidator(allowed_schemes=["https"]) + validator = RedirectURIValidator(allowed_schemes=["https", "http"]) good_uris = [ "https://example.com/", "https://example.org/?key=val", @@ -24,7 +24,7 @@ def test_validate_good_uris(self): validator(uri) def test_validate_custom_uri_scheme(self): - validator = RedirectURIValidator(allowed_schemes=["my-scheme", "https", "git+ssh"]) + validator = RedirectURIValidator(allowed_schemes=["my-scheme", "https", "git+ssh", "http"]) good_uris = [ "my-scheme://example.com", "my-scheme://example", From 99f083b217049794a50bc279d89255e0168bdea4 Mon Sep 17 00:00:00 2001 From: Kanellaman Date: Tue, 21 May 2024 10:16:37 +0300 Subject: [PATCH 4/6] Removed unecessary test --- tests/test_oauth2_backends.py | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tests/test_oauth2_backends.py b/tests/test_oauth2_backends.py index 06f05fc93..68805148a 100644 --- a/tests/test_oauth2_backends.py +++ b/tests/test_oauth2_backends.py @@ -221,13 +221,3 @@ def test_uri_loopback_redirect_check(uri, expected_result): assert redirect_to_uri_allowed(uri, allowed_uris) else: assert not redirect_to_uri_allowed(uri, allowed_uris) - -class TestLocalhostRedirectURI(TestCase): - def test_localhost_redirect_uri(self): - allowed_uris = ["http://127.0.0.1", "http://[::1]", "http://localhost"] - - valid_localhost_uri = "http://localhost:8000/callback" - invalid_localhost_uri_https = "https://localhost:8000/callback" - - self.assertTrue(redirect_to_uri_allowed(valid_localhost_uri, allowed_uris)) - self.assertFalse(redirect_to_uri_allowed(invalid_localhost_uri_https, allowed_uris)) From ae548670c1d18278619fb72694d0fd5d8cc6827c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 07:21:10 +0000 Subject: [PATCH 5/6] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- tests/test_oauth2_backends.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/test_oauth2_backends.py b/tests/test_oauth2_backends.py index 68805148a..96e4dd0ad 100644 --- a/tests/test_oauth2_backends.py +++ b/tests/test_oauth2_backends.py @@ -205,9 +205,8 @@ def test_validate_authorization_request_unsafe_query(self): @pytest.mark.parametrize( "uri, expected_result", - [ - ("http://localhost:3456", True), # localhost is supported + ("http://localhost:3456", True), # localhost is supported # only http scheme is supported for loopback URIs ("https://127.0.0.1:3456", False), ("http://127.0.0.1:3456", True), From e7ef89c5e21794fa24f9b473ffc3eed57184d7da Mon Sep 17 00:00:00 2001 From: Kanellaman Date: Tue, 21 May 2024 10:34:15 +0300 Subject: [PATCH 6/6] Update documentation --- docs/settings.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/settings.rst b/docs/settings.rst index 901fe8575..e15f5e395 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -56,7 +56,7 @@ A list of schemes that the ``redirect_uri`` field will be validated against. Setting this to ``["https"]`` only in production is strongly recommended. For Native Apps the ``http`` scheme can be safely used with loopback addresses in the -Application (``[::1]`` or ``127.0.0.1``). In this case the ``redirect_uri`` can be +Application (``[::1]`` or ``127.0.0.1`` or ``localhost``). In this case the ``redirect_uri`` can be configured without explicit port specification, so that the Application accepts randomly assigned ports.