ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pass back state during auto-accept oauth flows, fixes CNVS-13006 

test plan:
n/a, see specs ... needs an implementation

Change-Id: If429c925b5089036a32839653b609cdd8b82d95d
Reviewed-on: https://gerrit.instructure.com/34781
Reviewed-by: Dave Donahue <ddonahue@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>
Product-Review: Marc LeGendre <marc@instructure.com>
QA-Review: Marc LeGendre <marc@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
This commit is contained in:
Jon Jensen 2014-05-12 17:07:13 -06:00
parent 880b17c76f
commit 275bd78c68
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/controllers/pseudonym_sessions_controller.rb
View File

@ -648,7 +648,6 @@ class PseudonymSessionsController < ApplicationController
def oauth2_accept
redirect_params = final_oauth2_redirect_params(:remember_access => params[:remember_access])
redirect_params[:state] = session[:oauth2][:state] if session[:oauth2][:state]
final_oauth2_redirect(session[:oauth2][:redirect_uri], redirect_params)
end
@ -698,6 +697,8 @@ class PseudonymSessionsController < ApplicationController
options = {:scopes => session[:oauth2][:scopes], :remember_access => options[:remember_access], :purpose => session[:oauth2][:purpose]}
code = Canvas::Oauth::Token.generate_code_for(@current_user.global_id, session[:oauth2][:client_id], options)
redirect_params = { :code => code }
redirect_params[:state] = session[:oauth2][:state] if session[:oauth2][:state]
redirect_params
end
def final_oauth2_redirect(redirect_uri, opts = {})

10
spec/controllers/pseudonym_sessions_controller_spec.rb
View File

@ -838,6 +838,16 @@ describe PseudonymSessionsController do
response.location.should match(/https:\/\/example.com/)
end
it 'should redirect to the redirect uri with the provided state' do
@user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, ['/auth/userinfo'], nil)
post :create, params, :oauth2 => provider.session_hash.merge(state: "supersekrit")
response.should be_redirect
response.location.should match(/https:\/\/example.com/)
response.location.should match(/state=supersekrit/)
end
it 'should not reuse userinfo tokens for other scopes' do
@user.access_tokens.create!({:developer_key => key, :remember_access => true, :scopes => ['/auth/userinfo'], :purpose => nil})
provider = Canvas::Oauth::Provider.new(key.id, key.redirect_uri, [], nil)