Skip to content

Fix unhashed secret to work with request body authentication. #1334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 7, 2023
Merged

Fix unhashed secret to work with request body authentication. #1334

merged 2 commits into from
Oct 7, 2023

Conversation

amanning9
Copy link
Contributor

Description of the Change

#1311 allowed the use of unhashed client secrets, but if a secret is unhashed it does not work if the client includes it's client_id and client_secret in the request body, instead of using basic auth- only hashed secrets work in that case.

This PR allows hashed or unhashed secrets in _authenticate_request_body too, and adds a test for this case.

I think this is small enough that it can really just be considered part of 1311 in terms of documentation and changelog- but if I'm wrong please let me know and I can come back.

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@amanning9
Unhashed secrets in _authenticate_request_body
27b0eef 
Allow the client to send credentials in the request body when the
application has an unhashed secret.

Signed-off-by: Alex Manning <[email protected]>
@amanning9
Add name to AUTHORS.
81176c2 
Signed-off-by: Alex Manning <[email protected]>
n2ygk
n2ygk approved these changes Oct 7, 2023
View reviewed changes
Copy link
Contributor

@n2ygk n2ygk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this and especially for improving code coverage.

@codecov
Copy link

codecov bot commented Oct 7, 2023
edited
Loading

Codecov Report

Merging #1334 (81176c2) into master (41591ad) will not change coverage.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #1334   +/-   ##
=======================================
  Coverage   97.44%   97.44%           
=======================================
  Files          32       32           
  Lines        2073     2073           
=======================================
  Hits         2020     2020           
  Misses         53       53
Files Coverage Δ
oauth2_provider/oauth2_validators.py 94.07% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@n2ygk n2ygk merged commit 1c01da7 into django-oauth:master Oct 7, 2023
@amanning9 amanning9 deleted the fix-unhashed-body-secret branch October 9, 2023 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n2ygk n2ygk n2ygk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amanning9 @n2ygk