feat(oauth): allow wildcards in redirect_uris

CHANGELOG.md

@@ -30,6 +30,7 @@
     - `udata spatial migrate` to migrate datasets geozones to new ones
     - Reindex datasets (`udata search index dataset`) if using [udata-search-service](https://github.com/opendatateam/udata-search-service)
   - Removed forgotten fields in search [#2934](https://github.com/opendatateam/udata/pull/2934)
+- Allow wildcards in redirect_uris for Oauth2Client [#2935](https://github.com/opendatateam/udata/pull/2935)
 
 ## 6.2.0 (2023-10-26)
 

udata/api/oauth2.py

@@ -13,6 +13,7 @@
 As well as a sample application:
  - https://github.com/authlib/example-oauth2-server
 '''
+import fnmatch
 
 from bson import ObjectId
 
@@ -26,7 +27,7 @@
 from authlib.oauth2.rfc7636 import CodeChallenge
 from authlib.oauth2.rfc6749.util import scope_to_list, list_to_scope
 from authlib.oauth2 import OAuth2Error
-from flask import request, render_template
+from flask import request, render_template, current_app
 from flask_security.utils import verify_password
 from werkzeug.exceptions import Unauthorized
 from werkzeug.security import gen_salt
@@ -107,7 +108,12 @@ def get_allowed_scope(self, scope):
         return list_to_scope([s for s in scope.split() if s in allowed])
 
     def check_redirect_uri(self, redirect_uri):
-        return redirect_uri in self.redirect_uris
+        if current_app.config.get("OAUTH2_ALLOW_WILDCARD_IN_REDIRECT_URI"):
+            return any(
+                fnmatch.fnmatch(redirect_uri, pattern) for pattern in self.redirect_uris
+            )
+        else:
+            return redirect_uri in self.redirect_uris
 
     def check_client_secret(self, client_secret):
         return self.secret == client_secret

udata/settings.py

@@ -153,6 +153,7 @@ class Defaults(object):
         'password': 30 * 24 * HOUR,
         'client_credentials': 30 * 24 * HOUR
     }
+    OAUTH2_ALLOW_WILDCARD_IN_REDIRECT_URI = False
 
     MD_ALLOWED_TAGS = [
         'a',

udata/tests/api/test_auth_api.py

@@ -51,13 +51,14 @@ def basic_header(client):
 @pytest.fixture
 def oauth(app, request):
     marker = request.node.get_closest_marker('oauth')
-    kwargs = marker.kwargs if marker else {}
-    return OAuth2Client.objects.create(
+    custom_kwargs = marker.kwargs if marker else {}
+    kwargs = dict(
         name='test-client',
         owner=UserFactory(),
         redirect_uris=['https://test.org/callback'],
-        **kwargs
     )
+    kwargs.update(custom_kwargs)
+    return OAuth2Client.objects.create(**kwargs)
 
 
 @pytest.mark.usefixtures('clean_db')
@@ -238,6 +239,76 @@ def test_authorization_accept(self, client, oauth):
 
         assert uri == oauth.default_redirect_uri
 
+    @pytest.mark.options(OAUTH2_ALLOW_WILDCARD_IN_REDIRECT_URI=True)
+    @pytest.mark.oauth(redirect_uris=['https://*.test.org/callback'])
+    def test_authorization_accept_wildcard(self, client, oauth):
+        '''Should redirect to the redirect_uri on authorization accepted
+        with wildcard enabled and used in config'''
+        client.login()
+
+        redirect_uri = 'https://subdomain.test.org/callback'
+
+        response = client.post(url_for(
+            'oauth.authorize',
+            response_type='code',
+            client_id=oauth.client_id,
+            redirect_uri=redirect_uri,
+        ), {
+            'scope': 'default',
+            'accept': '',
+        })
+
+        assert_status(response, 302)
+        uri, _ = response.location.split('?')
+
+        assert uri == redirect_uri
+
+    @pytest.mark.options(OAUTH2_ALLOW_WILDCARD_IN_REDIRECT_URI=False)
+    @pytest.mark.oauth(redirect_uris=['https://*.test.org/callback'])
+    def test_authorization_accept_no_wildcard(self, client, oauth):
+        '''Should not redirect to the redirect_uri on authorization accepted
+        without wildcard enabled while used in config'''
+        client.login()
+
+        redirect_uri = 'https://subdomain.test.org/callback'
+
+        response = client.post(url_for(
+            'oauth.authorize',
+            response_type='code',
+            client_id=oauth.client_id,
+            redirect_uri=redirect_uri,
+        ), {
+            'scope': 'default',
+            'accept': '',
+        })
+
+        assert_status(response, 400)
+        assert 'error' in response.json
+        assert 'redirect_uri' in response.json['error_description']
+
+    @pytest.mark.options(OAUTH2_ALLOW_WILDCARD_IN_REDIRECT_URI=True)
+    @pytest.mark.oauth(redirect_uris=['https://*.test.org/callback'])
+    def test_authorization_accept_wrong_wildcard(self, client, oauth):
+        '''Should not redirect to the redirect_uri on authorization accepted
+        with wildcard enabled but mismatched from config'''
+        client.login()
+
+        redirect_uri = 'https://subdomain.example.com/callback'
+
+        response = client.post(url_for(
+            'oauth.authorize',
+            response_type='code',
+            client_id=oauth.client_id,
+            redirect_uri=redirect_uri,
+        ), {
+            'scope': 'default',
+            'accept': '',
+        })
+
+        assert_status(response, 400)
+        assert 'error' in response.json
+        assert 'redirect_uri' in response.json['error_description']
+
     def test_authorization_grant_token(self, client, oauth):
         client.login()