Merge pull request #38 from wndhydrnt/fix_scope_urlencode

Fix scope parameter not being urlencoded
wndhydrnt · Mar 29, 2015 · 6b426c0 · 6b426c0
2 parents afa9d84 + c66ad7c
commit 6b426c0
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ Improvements:
 Bugfixes:
 
   - Fix Resource Owner Grant responding with HTTP status code '500' in case an owner could not be authorized ([@wndhydrnt][])
+  - Fix "scope" parameter not being urlencoded ([@wndhydrnt][])
 
 ## 0.7.0
 

diff --git a/oauth2/grant.py b/oauth2/grant.py
@@ -466,7 +466,7 @@ def _generate_location(self, code):
         query = "code=" + code
 
         if self.state is not None:
-            query += "&state=" + self.state
+            query += "&state=" + quote(self.state)
 
         return "%s?%s" % (self.client.redirect_uri, query)
 
@@ -705,7 +705,7 @@ def _redirect_access_token(self, response, token):
             format(self.client.redirect_uri, token)
 
         if self.state is not None:
-            uri_with_fragment += "&state=" + self.state
+            uri_with_fragment += "&state=" + quote(self.state)
 
         if self.scope_handler.send_back is True:
             scopes_as_string = encode_scopes(self.scope_handler.scopes,

diff --git a/oauth2/test/test_grant.py b/oauth2/test/test_grant.py
@@ -1,6 +1,7 @@
 from mock import Mock, call, patch
 import json
 from oauth2.client_authenticator import ClientAuthenticator
+from oauth2.compatibility import quote
 from oauth2.test import unittest
 from oauth2.web import Request, Response, ResourceOwnerGrantSiteAdapter, \
     ImplicitGrantSiteAdapter, AuthorizationCodeGrantSiteAdapter
@@ -196,11 +197,11 @@ def test_process(self):
         code = "abcd"
         environ = {"session": "data"}
         scopes = ["scope"]
-        state = "mystate"
+        state = "my%state"
         redirect_uri = "https://callback"
         user_data = {"user_id": 789}
 
-        location_uri = "%s?code=%s&state=%s" % (redirect_uri, code, state)
+        location_uri = "%s?code=%s&state=%s" % (redirect_uri, code, quote(state))
 
         auth_code_store_mock = Mock(spec=AuthCodeStore)
 
@@ -793,6 +794,7 @@ def test_create_not_matching_response_type(self):
         request_mock.get_param.assert_called_with("response_type")
         self.assertEqual(result_class, None)
 
+
 class ImplicitGrantHandlerTestCase(unittest.TestCase):
     def test_process_redirect_with_token(self):
         client_id = "abc"
@@ -848,11 +850,11 @@ def test_process_redirect_with_state(self):
         ImplicitGrantHandler should include the value of the "state" query parameter from request in redirect
         """
         redirect_uri = "http://callback"
-        state = "XHGFI"
+        state = "XH%GFI"
         token = "tokencode"
         user_data = ({}, 1)
 
-        expected_redirect_uri = "%s#access_token=%s&token_type=bearer&state=%s" % (redirect_uri, token, state)
+        expected_redirect_uri = "%s#access_token=%s&token_type=bearer&state=%s" % (redirect_uri, token, quote(state))
 
         response_mock = Mock(spec=Response)