Skip to content

Commit

Permalink
Fix unhashed secret to work with request body authentication. (#1334)
Browse files Browse the repository at this point in the history
  • Loading branch information
@amanning9
amanning9 committed Oct 7, 2023
1 parent 41591ad commit 1c01da7
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 1 deletion.
1 change: 1 addition & 0 deletions AUTHORS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Alan Crosswell
Alejandro Mantecon Guillen
Aleksander Vaskevich
Alessandro De Angelis
Alex Manning
Alex Szabó
Allisson Azevedo
Andrea Greco
Expand Down
2 changes: 1 addition & 1 deletion oauth2_provider/oauth2_validators.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ def _authenticate_request_body(self, request):
if self._load_application(client_id, request) is None:
log.debug("Failed body auth: Application %s does not exists" % client_id)
return False
elif not check_password(client_secret, request.client.client_secret):
elif not self._check_secret(client_secret, request.client.client_secret):
log.debug("Failed body auth: wrong client secret %s" % client_secret)
return False
else:
Expand Down
12 changes: 12 additions & 0 deletions tests/test_oauth2_validators.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,18 @@ def test_authenticate_request_body(self):
self.blank_secret_request.client_secret = "wrong_client_secret"
self.assertFalse(self.validator._authenticate_request_body(self.blank_secret_request))

def test_authenticate_request_body_unhashed_secret(self):
self.application.client_secret = CLEARTEXT_SECRET
self.application.hash_client_secret = False
self.application.save()

self.request.client_id = "client_id"
self.request.client_secret = CLEARTEXT_SECRET
self.assertTrue(self.validator._authenticate_request_body(self.request))

self.application.hash_client_secret = True
self.application.save()

def test_extract_basic_auth(self):
self.request.headers = {"HTTP_AUTHORIZATION": "Basic 123456"}
self.assertEqual(self.validator._extract_basic_auth(self.request), "123456")
Expand Down

0 comments on commit 1c01da7

Please sign in to comment.