refactor(socialaccount): Distinguish default scope vs request

pennersr · pennersr · commit 7c6657f7a134 · 2024-03-21T10:57:56.000+01:00
diff --git a/allauth/socialaccount/providers/authentiq/provider.py b/allauth/socialaccount/providers/authentiq/provider.py
@@ -61,8 +61,8 @@ class AuthentiqProvider(OAuth2Provider):
     account_class = AuthentiqAccount
     oauth2_adapter_class = AuthentiqOAuth2Adapter
 
-    def get_scope(self, request):
-        scope = set(super(AuthentiqProvider, self).get_scope(request))
+    def get_scope_from_request(self, request):
+        scope = set(super().get_scope_from_request(request))
         scope.add("openid")
 
         if Scope.EMAIL in scope:
@@ -82,8 +82,8 @@ def get_default_scope(self):
             scope.append(Scope.EMAIL)
         return scope
 
-    def get_auth_params(self, request, action):
-        ret = super(AuthentiqProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["prompt"] = "select_account"
         return ret
diff --git a/allauth/socialaccount/providers/authentiq/tests.py b/allauth/socialaccount/providers/authentiq/tests.py
@@ -45,15 +45,15 @@ def test_default_scopes_email(self):
 
     def test_scopes(self):
         request = RequestFactory().get(AuthentiqOAuth2Adapter.authorize_url)
-        scopes = self.provider.get_scope(request)
+        scopes = self.provider.get_scope_from_request(request)
         self.assertIn("openid", scopes)
         self.assertIn("aq:name", scopes)
 
     def test_dynamic_scopes(self):
         request = RequestFactory().get(
             AuthentiqOAuth2Adapter.authorize_url, dict(scope="foo")
         )
-        scopes = self.provider.get_scope(request)
+        scopes = self.provider.get_scope_from_request(request)
         self.assertIn("openid", scopes)
         self.assertIn("aq:name", scopes)
         self.assertIn("foo", scopes)
@@ -65,7 +65,7 @@ def test_dynamic_scopes(self):
     )
     def test_scopes_required_verified_email(self):
         request = RequestFactory().get(AuthentiqOAuth2Adapter.authorize_url)
-        scopes = self.provider.get_scope(request)
+        scopes = self.provider.get_scope_from_request(request)
         self.assertIn("email~rs", scopes)
         self.assertNotIn("email", scopes)
 
@@ -76,7 +76,7 @@ def test_scopes_required_verified_email(self):
     )
     def test_scopes_optional_verified_email(self):
         request = RequestFactory().get(AuthentiqOAuth2Adapter.authorize_url)
-        scopes = self.provider.get_scope(request)
+        scopes = self.provider.get_scope_from_request(request)
         self.assertIn("email~s", scopes)
         self.assertNotIn("email", scopes)
 
@@ -87,7 +87,7 @@ def test_scopes_optional_verified_email(self):
     )
     def test_scopes_required_email(self):
         request = RequestFactory().get(AuthentiqOAuth2Adapter.authorize_url)
-        scopes = self.provider.get_scope(request)
+        scopes = self.provider.get_scope_from_request(request)
         self.assertIn("email~r", scopes)
         self.assertNotIn("email", scopes)
 
@@ -98,5 +98,5 @@ def test_scopes_required_email(self):
     )
     def test_scopes_optional_email(self):
         request = RequestFactory().get(AuthentiqOAuth2Adapter.authorize_url)
-        scopes = self.provider.get_scope(request)
+        scopes = self.provider.get_scope_from_request(request)
         self.assertIn("email", scopes)
diff --git a/allauth/socialaccount/providers/basecamp/provider.py b/allauth/socialaccount/providers/basecamp/provider.py
@@ -20,8 +20,8 @@ class BasecampProvider(OAuth2Provider):
     account_class = BasecampAccount
     oauth2_adapter_class = BasecampOAuth2Adapter
 
-    def get_auth_params(self, request, action):
-        data = super(BasecampProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        data = super().get_auth_params_from_request(request, action)
         data["type"] = "web_server"
         return data
 
diff --git a/allauth/socialaccount/providers/cilogon/provider.py b/allauth/socialaccount/providers/cilogon/provider.py
@@ -30,8 +30,8 @@ def get_default_scope(self):
             scope.append(Scope.EMAIL)
         return scope
 
-    def get_auth_params(self, request, action):
-        ret = super(CILogonProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["prompt"] = "select_account consent"
         return ret
diff --git a/allauth/socialaccount/providers/facebook/provider.py b/allauth/socialaccount/providers/facebook/provider.py
@@ -116,8 +116,8 @@ def get_fields(self):
         ]
         return settings.get("FIELDS", default_fields)
 
-    def get_auth_params(self, request, action):
-        ret = super(FacebookProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["auth_type"] = "reauthenticate"
         elif action == AuthAction.REREQUEST:
@@ -131,8 +131,8 @@ def get_init_params(self, request, app):
         return init_params
 
     def get_fb_login_options(self, request):
-        ret = self.get_auth_params(request, "authenticate")
-        ret["scope"] = ",".join(self.get_scope(request))
+        ret = self.get_auth_params_from_request(request, "authenticate")
+        ret["scope"] = ",".join(self.get_scope_from_request(request))
         if ret.get("auth_type") == "reauthenticate":
             ret["auth_nonce"] = self.get_nonce(request, or_create=True)
         return ret
diff --git a/allauth/socialaccount/providers/flickr/provider.py b/allauth/socialaccount/providers/flickr/provider.py
@@ -35,8 +35,8 @@ def get_default_scope(self):
         scope = []
         return scope
 
-    def get_auth_params(self, request, action):
-        ret = super(FlickrProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if "perms" not in ret:
             ret["perms"] = "read"
         return ret
diff --git a/allauth/socialaccount/providers/google/provider.py b/allauth/socialaccount/providers/google/provider.py
@@ -63,8 +63,8 @@ def get_default_scope(self):
             scope.append(Scope.EMAIL)
         return scope
 
-    def get_auth_params(self, request, action):
-        ret = super(GoogleProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["prompt"] = "select_account consent"
         return ret
diff --git a/allauth/socialaccount/providers/microsoft/provider.py b/allauth/socialaccount/providers/microsoft/provider.py
@@ -27,8 +27,8 @@ def get_default_scope(self):
         """
         return ["User.Read"]
 
-    def get_auth_params(self, request, action):
-        ret = super(MicrosoftGraphProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["prompt"] = "select_account"
         return ret
diff --git a/allauth/socialaccount/providers/oauth/provider.py b/allauth/socialaccount/providers/oauth/provider.py
@@ -13,7 +13,7 @@ def get_login_url(self, request, **kwargs):
             url = url + "?" + urlencode(kwargs)
         return url
 
-    def get_auth_params(self, request, action):
+    def get_auth_params_from_request(self, request, action):
         settings = self.get_settings()
         ret = dict(settings.get("AUTH_PARAMS", {}))
         dynamic_auth_params = request.GET.get("auth_params", None)
@@ -27,7 +27,10 @@ def get_auth_url(self, request, action):
         # adapter/provider is a bit too thin here.
         return None
 
-    def get_scope(self, request):
+    def get_scope_from_request(self, request):
+        return self.get_scope()
+
+    def get_scope(self):
         settings = self.get_settings()
         scope = settings.get("SCOPE")
         if scope is None:
diff --git a/allauth/socialaccount/providers/oauth/views.py b/allauth/socialaccount/providers/oauth/views.py
@@ -52,7 +52,7 @@ def view(request, *args, **kwargs):
     def _get_client(self, request, callback_url):
         provider = self.adapter.get_provider()
         app = provider.app
-        scope = " ".join(provider.get_scope(request))
+        scope = " ".join(provider.get_scope_from_request(request))
         parameters = {}
         if scope:
             parameters["scope"] = scope
@@ -76,7 +76,7 @@ def login(self, request, *args, **kwargs):
         action = request.GET.get("action", AuthAction.AUTHENTICATE)
         provider = self.adapter.get_provider()
         auth_url = provider.get_auth_url(request, action) or self.adapter.authorize_url
-        auth_params = provider.get_auth_params(request, action)
+        auth_params = provider.get_auth_params_from_request(request, action)
         client = self._get_client(request, callback_url)
         try:
             return client.get_redirect(auth_url, auth_params)
diff --git a/allauth/socialaccount/providers/oauth2/provider.py b/allauth/socialaccount/providers/oauth2/provider.py
@@ -40,54 +40,80 @@ def get_pkce_params(self):
             return pkce_code_params
         return {}
 
-    def get_auth_params(self, request, action):
+    def get_auth_params(self):
         """
         Returns a dictionary of additional parameters passed to the OAuth2
         redirect URL. Additional -- so no need to pass the standard `client_id`,
         `redirect_uri`, `response_type`.
         """
         settings = self.get_settings()
         ret = dict(settings.get("AUTH_PARAMS", {}))
+        return ret
+
+    def get_auth_params_from_request(self, request, action):
+        """
+        Returns a dictionary of additional parameters passed to the OAuth2
+        redirect URL. Additional -- so no need to pass the standard `client_id`,
+        `redirect_uri`, `response_type`.
+        """
+        ret = self.get_auth_params()
         dynamic_auth_params = request.GET.get("auth_params", None)
         if dynamic_auth_params:
             ret.update(dict(parse_qsl(dynamic_auth_params)))
         return ret
 
-    def get_scope(self, request):
+    def get_default_scope(self):
+        """
+        Returns the default scope to use.
+        """
+        return []
+
+    def get_scope(self):
+        """
+        Returns the scope to use, taking settings `SCOPE` into consideration.
+        """
         settings = self.get_settings()
         scope = list(settings.get("SCOPE", self.get_default_scope()))
+        return scope
+
+    def get_scope_from_request(self, request):
+        """
+        Returns the scope to use for the given request.
+        """
+        scope = self.get_scope()
         dynamic_scope = request.GET.get("scope", None)
         if dynamic_scope:
             scope.extend(dynamic_scope.split(","))
         return scope
 
-    def get_default_scope(self):
-        return []
-
     def get_oauth2_adapter(self, request):
         return self.oauth2_adapter_class(request)
 
     def get_redirect_from_request_kwargs(self, request):
         kwargs = super().get_redirect_from_request_kwargs(request)
-        kwargs["scope"] = self.get_scope(request)
+        kwargs["scope"] = self.get_scope_from_request(request)
         action = request.GET.get("action", AuthAction.AUTHENTICATE)
-        kwargs["auth_params"] = self.get_auth_params(request, action)
+        kwargs["auth_params"] = self.get_auth_params_from_request(request, action)
         return kwargs
 
     def redirect(self, request, process, next_url=None, data=None, **kwargs):
         app = self.app
         oauth2_adapter = self.get_oauth2_adapter(request)
         client = oauth2_adapter.get_client(request, app)
         auth_url = oauth2_adapter.authorize_url
-        auth_params = kwargs["auth_params"]
+        auth_params = kwargs.get("auth_params")
+        if auth_params is None:
+            auth_params = self.get_auth_params()
         pkce_params = self.get_pkce_params()
         code_verifier = pkce_params.pop("code_verifier", None)
         auth_params.update(pkce_params)
         if code_verifier:
             request.session["pkce_code_verifier"] = code_verifier
 
         client.state = self.stash_redirect_state(request, process, next_url, data)
-        scope = kwargs["scope"]
+        scope = kwargs.get("scope")
+        if scope is None:
+            scope = self.get_scope()
         try:
             return HttpResponseRedirect(
                 client.get_redirect_url(auth_url, scope, auth_params)
diff --git a/allauth/socialaccount/providers/pocket/views.py b/allauth/socialaccount/providers/pocket/views.py
@@ -17,7 +17,7 @@ class PocketOAuthLoginView(OAuthLoginView):
     def _get_client(self, request, callback_url):
         provider = self.adapter.get_provider()
         app = provider.app
-        scope = " ".join(provider.get_scope(request))
+        scope = " ".join(provider.get_scope_from_request(request))
         parameters = {}
         if scope:
             parameters["scope"] = scope
@@ -38,7 +38,7 @@ class PocketOAuthCallbackView(OAuthCallbackView):
     def _get_client(self, request, callback_url):
         provider = self.adapter.get_provider()
         app = provider.app
-        scope = " ".join(provider.get_scope(request))
+        scope = " ".join(provider.get_scope_from_request(request))
         parameters = {}
         if scope:
             parameters["scope"] = scope
diff --git a/allauth/socialaccount/providers/salesforce/provider.py b/allauth/socialaccount/providers/salesforce/provider.py
@@ -29,8 +29,8 @@ class SalesforceProvider(OAuth2Provider):
     def get_default_scope(self):
         return ["id", "openid"]
 
-    def get_auth_params(self, request, action):
-        ret = super(SalesforceProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["approval_prompt"] = "force"
         return ret
diff --git a/allauth/socialaccount/providers/shopify/provider.py b/allauth/socialaccount/providers/shopify/provider.py
@@ -25,8 +25,8 @@ def is_per_user(self):
         )
         return grant_options.lower().strip() == "per-user"
 
-    def get_auth_params(self, request, action):
-        ret = super(ShopifyProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         shop = request.GET.get("shop", None)
         if shop:
             ret.update({"shop": shop})
diff --git a/allauth/socialaccount/providers/trainingpeaks/tests.py b/allauth/socialaccount/providers/trainingpeaks/tests.py
@@ -65,7 +65,7 @@ def test_use_production_uri(self):
     def test_scope_from_default(self):
         Request = namedtuple("request", ["GET"])
         mock_request = Request(GET={})
-        scope = self.provider.get_scope(mock_request)
+        scope = self.provider.get_scope_from_request(mock_request)
         self.assertTrue("athlete:profile" in scope)
 
     @override_settings(
@@ -76,6 +76,6 @@ def test_scope_from_default(self):
     def test_scope_from_settings(self):
         Request = namedtuple("request", ["GET"])
         mock_request = Request(GET={})
-        scope = self.provider.get_scope(mock_request)
+        scope = self.provider.get_scope_from_request(mock_request)
         for item in ("athlete:profile", "workouts", "workouts:wod"):
             self.assertTrue(item in scope)
diff --git a/allauth/socialaccount/providers/trello/provider.py b/allauth/socialaccount/providers/trello/provider.py
@@ -28,8 +28,8 @@ def extract_common_fields(self, data):
             name=data.get("name"),
         )
 
-    def get_auth_params(self, request, action):
-        data = super(TrelloProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        data = super().get_auth_params_from_request(request, action)
         data["type"] = "web_server"
         data["name"] = self.app.name
         # define here for how long it will be, this can be configured on the
diff --git a/allauth/socialaccount/providers/untappd/provider.py b/allauth/socialaccount/providers/untappd/provider.py
@@ -24,8 +24,8 @@ class UntappdProvider(OAuth2Provider):
     account_class = UntappdAccount
     oauth2_adapter_class = UntappdOAuth2Adapter
 
-    def get_auth_params(self, request, action):
-        params = super(UntappdProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        params = super().get_auth_params_from_request(request, action)
         # Untappd uses redirect_url instead of redirect_uri
         params["redirect_url"] = request.build_absolute_uri(
             reverse(self.id + "_callback")
diff --git a/allauth/socialaccount/providers/ynab/provider.py b/allauth/socialaccount/providers/ynab/provider.py
@@ -21,8 +21,8 @@ def get_default_scope(self):
         scope = [Scope.ACCESS]
         return scope
 
-    def get_auth_params(self, request, action):
-        ret = super(YNABProvider, self).get_auth_params(request, action)
+    def get_auth_params_from_request(self, request, action):
+        ret = super().get_auth_params_from_request(request, action)
         if action == AuthAction.REAUTHENTICATE:
             ret["prompt"] = "select_account consent"
         return ret
