fix: validate consent action and add error check after re-parse
This commit is contained in:
Johan Lundberg
parent
5c4269fd6e
commit
078892a413
1 changed files with 7 additions and 0 deletions
|
|
@ -336,6 +336,9 @@ async def consent_submit(request: Request) -> Response:
|
||||||
params = urlencode({"error": "access_denied", "state": state})
|
params = urlencode({"error": "access_denied", "state": state})
|
||||||
return RedirectResponse(f"{redirect_uri}?{params}", status_code=303)
|
return RedirectResponse(f"{redirect_uri}?{params}", status_code=303)
|
||||||
|
|
||||||
|
if action != "allow":
|
||||||
|
return HTMLResponse("<h1>Error</h1><p>Invalid action</p>", status_code=400)
|
||||||
|
|
||||||
# Allow — collect approved scopes
|
# Allow — collect approved scopes
|
||||||
approved_scopes = form.getlist("scope")
|
approved_scopes = form.getlist("scope")
|
||||||
if "openid" not in approved_scopes:
|
if "openid" not in approved_scopes:
|
||||||
|
|
@ -357,4 +360,8 @@ async def consent_submit(request: Request) -> Response:
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
return HTMLResponse(f"<h1>Error</h1><p>{exc}</p>", status_code=400)
|
return HTMLResponse(f"<h1>Error</h1><p>{exc}</p>", status_code=400)
|
||||||
|
|
||||||
|
if "error" in parsed:
|
||||||
|
error_desc = parsed.get("error_description", parsed["error"])
|
||||||
|
return HTMLResponse(f"<h1>Error</h1><p>{error_desc}</p>", status_code=400)
|
||||||
|
|
||||||
return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)
|
return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue