-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix unknown pkce method error when configured #1747
Fix unknown pkce method error when configured #1747
Conversation
config/locales/en.yml
Outdated
@@ -100,7 +100,7 @@ en: | |||
unauthorized_client: 'The client is not authorized to perform this request using this method.' | |||
access_denied: 'The resource owner or authorization server denied the request.' | |||
invalid_scope: 'The requested scope is invalid, unknown, or malformed.' | |||
invalid_code_challenge_method: 'The code challenge method must be plain or S256.' | |||
invalid_code_challenge_method: 'The code challenge method must be one of %{challenge_methods}.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could probably use some tweaking, just let me know how you think this should read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'd probably want to use the one / other syntax here..
invalid_code_challenge_method: 'The code challenge method must be one of %{challenge_methods}.' | |
invalid_code_challenge_method: | |
one: 'The code challenge method must be %{challenge_methods}.' | |
other: 'The code challenge method must be one of %{challenge_methods}.' |
Which would need a count
on challenge_methods
, iirc. count
is magic in that it decides whether to pick one
or other
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome suggestions, I went ahead and updated in ccc9773
@@ -12,6 +12,7 @@ def self.from_request(request, attributes = {}) | |||
attributes.merge( | |||
name: error_name_for(request.error), | |||
exception_class: exception_class_for(request.error), | |||
translate_options: request.error.try(:translate_options), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not completely confident what classes request.error
are expected here. I can remove the try
if we always expect to receive a DoorkeeperError
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe there's a default that can be set? grab :translate_options or fallback to {}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I default it here in error.rb
because that caught all the usages of Error
in one place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More thinking of if the Error somehow doesn't derive from Doorkeeper::OAuth::Error, e.g., it comes from activerecord or something
lib/doorkeeper/errors.rb
Outdated
class InvalidCodeChallengeMethod < BaseResponseError | ||
def self.translate_options | ||
{ | ||
challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", ") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re: pluralisation in https://github.com/doorkeeper-gem/doorkeeper/pull/1747/files#r1825345954
challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", ") | |
challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", "), | |
count: Doorkeeper.config.pkce_code_challenge_methods_supported.length |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, used this in ccc9773
spec/lib/oauth/error_spec.rb
Outdated
context "when there are variables" do | ||
subject(:error) do | ||
described_class.new( | ||
:invalid_code_challenge_method, | ||
:some_state, | ||
{ | ||
challenge_methods: "foo, bar" | ||
} | ||
) | ||
end | ||
|
||
it "is translated from translation messages with variables" do | ||
expect(error.description).to eq("The code challenge method must be one of foo, bar.") | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have a test case for the "one" option, i.e., just "foo" not "foo, bar"
(this likely more applies to pre_authorization_spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a test for %w(foo)
and []
in ccc9773
config/locales/en.yml
Outdated
@@ -100,7 +100,10 @@ en: | |||
unauthorized_client: 'The client is not authorized to perform this request using this method.' | |||
access_denied: 'The resource owner or authorization server denied the request.' | |||
invalid_scope: 'The requested scope is invalid, unknown, or malformed.' | |||
invalid_code_challenge_method: 'The code challenge method must be plain or S256.' | |||
invalid_code_challenge_method: | |||
zero: 'There are no acceptable code_challenge methods' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should never be reachable, but if it is, say
zero: 'There are no acceptable code_challenge methods' | |
zero: 'This authorization server does not support PKCE as there a no accepted code_challenge methods' |
Would be better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is better, tweaked it just a little bit to align with other messages and updated in f042917
attributes[:code_challenge_method] = "plain" | ||
|
||
expect(pre_auth).to_not be_authorizable | ||
expect(pre_auth.error_response.description).to eq("There are no acceptable code_challenge methods") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, we should use code_challenge
or code challenge
consistently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, this comment made me realize that we should probably be calling it code_challenge_method
since that is the actual param, so I made that change in d244e69
config/locales/en.yml
Outdated
@@ -100,7 +100,10 @@ en: | |||
unauthorized_client: 'The client is not authorized to perform this request using this method.' | |||
access_denied: 'The resource owner or authorization server denied the request.' | |||
invalid_scope: 'The requested scope is invalid, unknown, or malformed.' | |||
invalid_code_challenge_method: 'The code challenge method must be plain or S256.' | |||
invalid_code_challenge_method: | |||
zero: 'The authorization server does not support PKCE as there is no accepted code_challenge_method' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
zero: 'The authorization server does not support PKCE as there is no accepted code_challenge_method' | |
zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated this message in 7e2bf4b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tiny comment, but LGTMO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Thanks!
Summary
I am upgrading to get the configuration update from #1735 but noticed that the error message is not correct when it is configured in that it makes it sound like we accept
plain
.#1746