diff --git a/AUTHORS b/AUTHORS index bb2f38a2..0bec9007 100644 --- a/AUTHORS +++ b/AUTHORS @@ -14,3 +14,4 @@ Tom Christie Chez Ondrej Slinták Mackenzie Thompson +Hsiaoming Yang diff --git a/oauthlib/oauth2/rfc6749/parameters.py b/oauthlib/oauth2/rfc6749/parameters.py index f4421ff0..6b73ce2e 100644 --- a/oauthlib/oauth2/rfc6749/parameters.py +++ b/oauthlib/oauth2/rfc6749/parameters.py @@ -19,7 +19,7 @@ from .errors import raise_from_error, MissingTokenError, MissingTokenTypeError from .errors import MismatchingStateError, MissingCodeError from .errors import InsecureTransportError -from .utils import list_to_scope, scope_to_list +from .utils import list_to_scope, scope_to_list, is_secure_transport def prepare_grant_uri(uri, client_id, response_type, redirect_uri=None, @@ -61,7 +61,7 @@ def prepare_grant_uri(uri, client_id, response_type, redirect_uri=None, .. _`Section 3.3`: http://tools.ietf.org/html/rfc6749#section-3.3 .. _`section 10.12`: http://tools.ietf.org/html/rfc6749#section-10.12 """ - if not uri.startswith('https://'): + if not is_secure_transport(uri): raise InsecureTransportError() params = [(('response_type', response_type)), @@ -157,7 +157,7 @@ def parse_authorization_code_response(uri, state=None): &state=xyz """ - if not uri.lower().startswith('https://'): + if not is_secure_transport(uri.lower()): raise InsecureTransportError() query = urlparse.urlparse(uri).query @@ -213,7 +213,7 @@ def parse_implicit_response(uri, state=None, scope=None): Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 """ - if not uri.lower().startswith('https://'): + if not is_secure_transport(uri.lower()): raise InsecureTransportError() fragment = urlparse.urlparse(uri).fragment diff --git a/oauthlib/oauth2/rfc6749/request_validator.py b/oauthlib/oauth2/rfc6749/request_validator.py index 92fd776d..01c45227 100644 --- a/oauthlib/oauth2/rfc6749/request_validator.py +++ b/oauthlib/oauth2/rfc6749/request_validator.py @@ -337,7 +337,7 @@ def validate_refresh_token(self, refresh_token, client, request, *args, **kwargs raise NotImplementedError('Subclasses must implement this method.') def validate_response_type(self, client_id, response_type, client, request, *args, **kwargs): - """Ensure client is authorized to use the grant_type requested. + """Ensure client is authorized to use the response_type requested. :param client_id: Unicode client identifier :param response_type: Unicode response type, i.e. code, token. diff --git a/oauthlib/oauth2/rfc6749/utils.py b/oauthlib/oauth2/rfc6749/utils.py index 0a8aab50..b052532c 100644 --- a/oauthlib/oauth2/rfc6749/utils.py +++ b/oauthlib/oauth2/rfc6749/utils.py @@ -8,6 +8,7 @@ This module contains utility methods used by various parts of the OAuth 2 spec. """ +import os import datetime try: from urllib import quote @@ -80,3 +81,10 @@ def generate_age(issue_time): td = datetime.datetime.now() - issue_time age = (td.microseconds + (td.seconds + td.days * 24 * 3600) * 10**6) / 10**6 return unicode_type(age) + + +def is_secure_transport(uri): + """Check if the uri is over ssl.""" + if os.environ.get('DEBUG'): + return True + return uri.startswith('https://') diff --git a/tests/oauth2/rfc6749/test_utils.py b/tests/oauth2/rfc6749/test_utils.py index 9d25229b..6e713a76 100644 --- a/tests/oauth2/rfc6749/test_utils.py +++ b/tests/oauth2/rfc6749/test_utils.py @@ -1,7 +1,9 @@ from __future__ import absolute_import, unicode_literals +import os from ...unittest import TestCase from oauthlib.oauth2.rfc6749.utils import escape, host_from_uri +from oauthlib.oauth2.rfc6749.utils import is_secure_transport class UtilsTests(TestCase): @@ -21,3 +23,15 @@ def test_host_from_uri(self): self.assertEqual(host_from_uri('https://a.b.com:8080'), ('a.b.com', '8080')) self.assertEqual(host_from_uri('http://www.example.com'), ('www.example.com', '80')) self.assertEqual(host_from_uri('https://www.example.com'), ('www.example.com', '443')) + + def test_is_secure_transport(self): + """Test check secure uri.""" + if 'DEBUG' in os.environ: + del os.environ['DEBUG'] + + self.assertTrue(is_secure_transport('https://example.com')) + self.assertFalse(is_secure_transport('http://example.com')) + + os.environ['DEBUG'] = '1' + self.assertTrue(is_secure_transport('http://example.com')) + del os.environ['DEBUG']