Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validating redirect_uri according to rfc6749 4.1.3 #45

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Validating redirect_uri according to rfc6749 4.1.3 #45

wants to merge 3 commits into from

Conversation

almirbi
Copy link
Collaborator

@almirbi almirbi commented Sep 5, 2017
edited
Loading

https://tools.ietf.org/html/rfc6749#section-4.1.3

Check whether redirect_uri matches the one in the initial request;

validate_redirect_uri function does not return a registered callback from the DB anymore, if no redirect_uri has been given, as it is an optional parameter. The name of the function did not explain the behaviour well.

#17

@almirbi almirbi requested a review from rmccue September 5, 2017 11:10
@almirbi almirbi changed the title Validating redirect_uri according to rfc6749 4.1.3 Validating redirect_uri according to rfc6749 4.1.3 #17 Sep 5, 2017
@almirbi almirbi changed the title Validating redirect_uri according to rfc6749 4.1.3 #17 Validating redirect_uri according to rfc6749 4.1.3 Sep 5, 2017
rmccue
rmccue requested changes Sep 9, 2017
View reviewed changes
inc/tokens/class-authorization-code.php Outdated
private function validate_redirect_uri( $args ) {
$value = $this->get_value();

if ( ! empty( $args['redirect_uri'] ) ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we invert this check instead to return early?

inc/tokens/class-authorization-code.php Outdated
@@ -108,6 +108,47 @@ public function get_expiration() {
return (int) $value['expiration'];
}

private function validate_redirect_uri( $args ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be protected instead, and should have a phpDoc block.

inc/types/class-base.php
$redirect_uri = $this->validate_redirect_uri( $client, $redirect_uri );
if ( is_wp_error( $redirect_uri ) ) {
return $redirect_uri;
if ( ! empty( $redirect_uri ) ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this should always pass the $redirect_uri in?

@almirbi
Copy link
Collaborator Author

almirbi commented Sep 16, 2017

@rmccue fixed it up a bit as suggested.

Also if there was no redirect_uri in the initial auth request, but there is one in the access token request and it matches the callbacks registered with the client - it's fine, just for convenience reasons.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmccue rmccue rmccue requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@almirbi @rmccue