Skip to content

handle oauthlib errors on create token and revoke token requests#1210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
n2ygk merged 1 commit into from
Oct 10, 2022
Merged

handle oauthlib errors on create token and revoke token requests #1210

n2ygk merged 1 commit into from
Oct 10, 2022

Conversation

@AndrejZbin
Copy link
Contributor

@AndrejZbinAndrejZbin commented Oct 4, 2022
edited
Loading

Fixes#1209

Description of the Change

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@codecov
Copy link

codecovbot commented Oct 4, 2022
edited
Loading

Codecov Report

Merging #1210 (04cf3af) into master (da459a1) will increase coverage by 0.16%.
The diff coverage is 100.00%.

@@ Coverage Diff @@## master #1210 +/- ## ========================================== + Coverage 96.04% 96.20% +0.16%  ========================================== Files 26 26 Lines 1314 1317 +3 ========================================== + Hits 1262 1267 +5 + Misses 52 50 -2
Impacted FilesCoverage Δ
oauth2_provider/oauth2_backends.py94.54% <100.00%> (+0.15%)⬆️
oauth2_provider/oauth2_validators.py93.98% <0.00%> (+0.44%)⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

n2ygk
n2ygk requested changes Oct 4, 2022
View reviewed changes
Copy link
Contributor

@n2ygkn2ygk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AndrejZbin Thanks for this and filling in the PR template.

Please add test case(s) to demonstrate the original bug and the fix.
Code coverage shows that this new code is not exercised by any tests:

https://github.com/jazzband/django-oauth-toolkit/pull/1210/checks?check_run_id=8701284936

@AndrejZbinAndrejZbinforce-pushed the fix-catch-oauth-errors branch 6 times, most recently from 8e9066f to 12c9de9CompareOctober 5, 2022 09:18
@AndrejZbinAndrejZbin requested a review from n2ygkOctober 5, 2022 11:27
n2ygk
n2ygk requested changes Oct 6, 2022
View reviewed changes
oauth2_provider/oauth2_backends.py Outdated
headers, body, status=self.server.create_revocation_response(uri, http_method, body, headers)
uri=headers.get("Location", None)
returnuri, headers, body, status
exceptOAuth2Errorasexc:
Copy link
Contributor

@n2ygkn2ygkOct 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://github.com/jazzband/django-oauth-toolkit/pull/1210/checks?check_run_id=8744338670 the newly-added exception case is not tested. Please add some failure tests.

Copy link
ContributorAuthor

@AndrejZbinAndrejZbinOct 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So apparently create_revocation_response errors are handled by oauthlib and the added try/except block is redundant in this function. But I think it won't hurt to be on "safe" side and still catch errors from oautlib, at least for consistency across functions. I added test cases that cover the the "except" block in both functions even when the exception is handled by oauthlib. However, if this slight redundancy is not desired, I'm happy to remove it and change only create_token_response method.

Copy link
Contributor

@n2ygkn2ygkOct 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AndrejZbin I don't think it's necessary to have extra lines of code that will never be used and mock patching the oauthlib response is inappropriate if oauthlib would never return such a response.

Copy link
ContributorAuthor

@AndrejZbinAndrejZbinOct 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, I reverted changes to create_revocation_response function and removed tests with mock patching.

@AndrejZbinAndrejZbinforce-pushed the fix-catch-oauth-errors branch 2 times, most recently from 9f93ff1 to 13643a7CompareOctober 10, 2022 07:43
@AndrejZbinAndrejZbinforce-pushed the fix-catch-oauth-errors branch from 13643a7 to 04cf3afCompareOctober 10, 2022 13:09
n2ygk
n2ygk approved these changes Oct 10, 2022
View reviewed changes
Copy link
Contributor

@n2ygkn2ygk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!

@n2ygkn2ygk merged commit be34163 into django-oauth:masterOct 10, 2022
@n2ygkn2ygk added this to the 2.2.0 milestone Oct 18, 2022
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n2ygkn2ygkn2ygk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.2.0

Development

Successfully merging this pull request may close these issues.

Using GET parameters in /o/token/ endpoint causes http 500 error (instead of 400)

2 participants

@AndrejZbin@n2ygk