diff --git a/authlib/oauth2/rfc7636/challenge.py b/authlib/oauth2/rfc7636/challenge.py index 8303092e..38e623f9 100644 --- a/authlib/oauth2/rfc7636/challenge.py +++ b/authlib/oauth2/rfc7636/challenge.py @@ -9,6 +9,7 @@ CODE_VERIFIER_PATTERN = re.compile(r'^[a-zA-Z0-9\-._~]{43,128}$') +CODE_CHALLENGE_PATTERN = re.compile(r'^[a-zA-Z0-9\-._~]{43,128}$') def create_s256_code_challenge(code_verifier): @@ -76,6 +77,9 @@ def validate_code_challenge(self, grant): if not challenge: raise InvalidRequestError('Missing "code_challenge"') + if not CODE_CHALLENGE_PATTERN.match(challenge): + raise InvalidRequestError('Invalid "code_challenge"') + if method and method not in self.SUPPORTED_CODE_CHALLENGE_METHOD: raise InvalidRequestError('Unsupported "code_challenge_method"') diff --git a/tests/flask/test_oauth2/test_code_challenge.py b/tests/flask/test_oauth2/test_code_challenge.py index f3c25795..a5a740f7 100644 --- a/tests/flask/test_oauth2/test_code_challenge.py +++ b/tests/flask/test_oauth2/test_code_challenge.py @@ -65,18 +65,23 @@ def test_missing_code_challenge(self): def test_has_code_challenge(self): self.prepare_data() - rv = self.client.get(self.authorize_url + '&code_challenge=abc') + rv = self.client.get(self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s') self.assertEqual(rv.data, b'ok') + def test_invalid_code_challenge(self): + self.prepare_data() + rv = self.client.get(self.authorize_url + '&code_challenge=abc&code_challenge_method=plain') + self.assertIn(b'Invalid', rv.data) + def test_invalid_code_challenge_method(self): self.prepare_data() - suffix = '&code_challenge=abc&code_challenge_method=invalid' + suffix = '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s&code_challenge_method=invalid' rv = self.client.get(self.authorize_url + suffix) self.assertIn(b'Unsupported', rv.data) def test_supported_code_challenge_method(self): self.prepare_data() - suffix = '&code_challenge=abc&code_challenge_method=plain' + suffix = '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s&code_challenge_method=plain' rv = self.client.get(self.authorize_url + suffix) self.assertEqual(rv.data, b'ok') @@ -101,7 +106,7 @@ def test_trusted_client_without_code_challenge(self): def test_missing_code_verifier(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -117,7 +122,7 @@ def test_missing_code_verifier(self): def test_trusted_client_missing_code_verifier(self): self.prepare_data('client_secret_basic') - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -133,7 +138,7 @@ def test_trusted_client_missing_code_verifier(self): def test_plain_code_challenge_invalid(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -150,7 +155,7 @@ def test_plain_code_challenge_invalid(self): def test_plain_code_challenge_failed(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) @@ -206,7 +211,7 @@ def test_s256_code_challenge_success(self): def test_not_implemented_code_challenge_method(self): self.prepare_data() - url = self.authorize_url + '&code_challenge=foo' + url = self.authorize_url + '&code_challenge=Zhs2POMonIVVHZteWfoU7cSXQSm0YjghikFGJSDI2_s' url += '&code_challenge_method=S128' rv = self.client.post(url, data={'user_id': '1'})