New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow loopback redirect URIs using ports as described in RFC8252 #953
Conversation
Codecov Report
@@ Coverage Diff @@
## master #953 +/- ##
=======================================
Coverage 96.61% 96.62%
=======================================
Files 31 31
Lines 1713 1716 +3
=======================================
+ Hits 1655 1658 +3
Misses 58 58
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for your PR. can you check the PR checklist and update as appripriate? changelog, entry to the author, and possibly unit test?
I've modified the patch slightly to only accept random redirect_uri ports when there is no explicit port configured in the Application. I've added a line in the documentation, updated the CHANGELOG and AUTHORS. |
While reading over this back and forth I took the opportunity to just add in some tests and factor out this logic to make it easier to unit test. Thanks for doing all the legwork on this first though! I think that this loopback special casing in redirect code (pretty sensitive area, securitywise) warranted a nice chunky comment, but my tests left me pretty happy that this is the "right" way of going forward. @auvipy since I made a change I feel a bit uncomfortable approving the PR, please look over what I pushed in. |
and parsed_allowed_uri.path == parsed_uri.path | ||
) or ( | ||
parsed_allowed_uri.scheme == parsed_uri.scheme | ||
and parsed_allowed_uri.netloc == parsed_uri.netloc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
at first it looks like both of these branches could be merged! And for scheme
and path
it can, but netloc
is actually inclusive of the port (it's roughly login info + hostname + port) , and for loopback IPs we don't want to be requiring the port to be the same (the whole point is wanting to support ephemeral IPs)
This adds some unit tests for loopback IP code in particular, as part of reviewing the change
ff7c2e2
to
659e1a9
Compare
@rtpg Thanks for your modifications and adding those tests, I can now tick the unit-test checkbox too ;-) FWIW, I've tested your changes locally and of course it works just as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alright a bit convoluted but given that @pauldekkers and I have been going back and forth on this I think we can consider this to be reviewed sufficiently
@rtpg @pauldekkers - Hey welcome to the project. Thanks for your PR. @MattBlack85 and I are trying to be good project leads and stay on top of changes and releases and will try to slot this in to a future release after we review it. Notably @rtpg I do not see your name in AUTHORS. Please submit a PR to correct that. |
Hi, when you are planning the next release and adding this feature? |
Description of the Change
Allow loopback redirect URIs with ports using http scheme and localhost addresses (127.0.0.1 or ::1),
as described in RFC8252 (section 7.3).
Checklist
CHANGELOG.md
updated (only for user relevant changes)AUTHORS