Merge pull request #93 from rossitsaborissova/issue_56_redirect_uri

[Issue #56] redirect_uri should be optional in case of auth code generation

Author: apostolterziev

apifest-oauth20/src/main/java/com/apifest/oauth20/AuthRequest.java

@@ -95,7 +95,7 @@ public void validate() throws OAuthException {
             throw new OAuthException(Response.RESPONSE_TYPE_NOT_SUPPORTED,
                     HttpResponseStatus.BAD_REQUEST);
         }
-        if (!isValidURI(redirectUri)) {
+        if (redirectUri != null && !isValidURI(redirectUri)) {
             throw new OAuthException(Response.INVALID_REDIRECT_URI, HttpResponseStatus.BAD_REQUEST);
         }
     }

apifest-oauth20/src/main/java/com/apifest/oauth20/AuthorizationServer.java

@@ -120,7 +120,8 @@ private boolean areClientCredentialsValid(String clientId, String clientSecret)
     public String issueAuthorizationCode(HttpRequest req) throws OAuthException {
         AuthRequest authRequest = new AuthRequest(req);
         log.debug("received client_id:" + authRequest.getClientId());
-        if (!isActiveClientId(authRequest.getClientId())) {
+        ClientCredentials activeClientCredentials = getActiveClientCredentials(authRequest.getClientId());
+        if (activeClientCredentials == null) {
             throw new OAuthException(Response.INVALID_CLIENT_ID, HttpResponseStatus.BAD_REQUEST);
         }
         authRequest.validate();
@@ -136,13 +137,17 @@ public String issueAuthorizationCode(HttpRequest req) throws OAuthException {
         db.storeAuthCode(authCode);
 
         // return redirect URI, append param code=[Authcode]
-        QueryStringEncoder enc = new QueryStringEncoder(authRequest.getRedirectUri());
+        String redirectUri = authRequest.getRedirectUri();
+        if (redirectUri == null) {
+            redirectUri = activeClientCredentials.getUri();
+        }
+        QueryStringEncoder enc = new QueryStringEncoder(redirectUri);
         enc.addParam("code", authCode.getCode());
 
         if(authCode.getState()!=null){
             enc.addParam("state", authCode.getState());
         }
-        
+
         return enc.toString();
     }
 
@@ -365,12 +370,12 @@ protected String generateCode() {
         return AuthCode.generate();
     }
 
-    protected boolean isActiveClientId(String clientId) {
+    protected ClientCredentials getActiveClientCredentials(String clientId) {
         ClientCredentials creds = db.findClientCredentials(clientId);
         if (creds != null && creds.getStatus() == ClientCredentials.ACTIVE_STATUS) {
-            return true;
+            return creds;
         }
-        return false;
+        return null;
     }
 
     // check only that clientId and clientSecret are valid, NOT that the status is active

apifest-oauth20/src/test/java/com/apifest/oauth20/AuthorizationServerTest.java

@@ -108,7 +108,8 @@ public void when_response_type_not_supported_return_error_unsupported_response_t
         HttpRequest req = mock(HttpRequest.class);
         willReturn("http://localhost/oauth20/authorize?client_id=1232&response_type=no").given(req)
             .getUri();
-        willReturn(true).given(authServer).isActiveClientId("1232");
+        ClientCredentials client = new ClientCredentials();
+        willReturn(client).given(authServer).getActiveClientCredentials("1232");
 
         // WHEN
         HttpResponseStatus status = null;
@@ -132,7 +133,8 @@ public void when_redirect_uri_not_valid_return_error_invalid_redirect_uri() {
         willReturn(
                 "http://localhost/oauth20/authorize?client_id=1232&response_type=code&redirect_uri=tp%3A%2F%2Fexample.com")
                 .given(req).getUri();
-        willReturn(true).given(authServer).isActiveClientId("1232");
+        ClientCredentials client = new ClientCredentials();
+        willReturn(client).given(authServer).getActiveClientCredentials("1232");
 
         // WHEN
         HttpResponseStatus status = null;
@@ -201,36 +203,36 @@ public void when_valid_client_id_and_active_status_return_true() throws Exceptio
         given(authServer.db.findClientCredentials(clientId)).willReturn(creds);
 
         // WHEN
-        boolean result = authServer.isActiveClientId(clientId);
+        ClientCredentials result = authServer.getActiveClientCredentials(clientId);
 
         // THEN
-        assertTrue(result);
+        assertNotNull(result);
     }
 
     @Test
-    public void when_valid_client_id_and_inactive_status_return_true() throws Exception {
+    public void when_valid_client_id_and_inactive_status_return_null() throws Exception {
         // GIVEN
         ClientCredentials creds = mock(ClientCredentials.class);
         given(creds.getStatus()).willReturn(ClientCredentials.INACTIVE_STATUS);
         given(authServer.db.findClientCredentials(clientId)).willReturn(creds);
 
         // WHEN
-        boolean result = authServer.isActiveClientId(clientId);
+        ClientCredentials result = authServer.getActiveClientCredentials(clientId);
 
         // THEN
-        assertFalse(result);
+        assertNull(result);
     }
 
     @Test
-    public void when_not_valid_client_id_return_false() throws Exception {
+    public void when_not_valid_client_id_return_null() throws Exception {
         // GIVEN
         String clienId = "203598599234220";
 
         // WHEN
-        boolean result = authServer.isActiveClientId(clienId);
+        ClientCredentials result = authServer.getActiveClientCredentials(clientId);
 
         // THEN
-        assertFalse(result);
+        assertNull(result);
     }
 
     @Test
@@ -241,7 +243,6 @@ public void when_issue_auth_code_validate_client_id() throws Exception {
                 mock(ClientCredentials.class));
         given(req.getUri())
         .willReturn("http://example.com/oauth20/authorize?client_id=" + clientId);
-        String response ="";
 
         // WHEN
         try {
@@ -251,7 +252,7 @@ public void when_issue_auth_code_validate_client_id() throws Exception {
         }
 
         // THEN
-        verify(authServer).isActiveClientId(clientId);
+        verify(authServer).getActiveClientCredentials(clientId);
     }
 
     @Test
@@ -298,6 +299,55 @@ public void when_issue_auth_code_verify_state_returned() throws Exception {
         assertTrue(response.contains(state));
     }
 
+    @Test
+    public void when_issue_auth_code_if_no_redirect_uri_use_client_app_redirect_uri() throws Exception {
+        // GIVEN
+        HttpRequest req = mock(HttpRequest.class);
+        ClientCredentials client = mock(ClientCredentials.class);
+        String state = "someState";
+        given(client.getStatus()).willReturn(ClientCredentials.ACTIVE_STATUS);
+        given(client.getUri()).willReturn("http://localhost:8080");
+        given(authServer.db.findClientCredentials(clientId)).willReturn(client);
+
+        given(req.getUri())
+            .willReturn(
+                "http://example.com/oauth20/authorize?response_type=code&client_id=" +
+                        clientId + "&state=" + state);
+        willReturn("basic").given(authServer.scopeService).getValidScope(null, clientId);
+
+        // WHEN
+        String response = authServer.issueAuthorizationCode(req);
+
+        // THEN
+        verify(authServer).generateCode();
+        assertTrue(response.contains("http://localhost:8080"));
+    }
+
+    @Test
+    public void when_issue_auth_code_with_redirect_uri_use_that_uri_in_response() throws Exception {
+        // GIVEN
+        HttpRequest req = mock(HttpRequest.class);
+        ClientCredentials client = mock(ClientCredentials.class);
+        String state = "someState";
+        given(client.getStatus()).willReturn(ClientCredentials.ACTIVE_STATUS);
+        given(client.getUri()).willReturn("http://localhost:8080");
+        given(authServer.db.findClientCredentials(clientId)).willReturn(client);
+        String redirectUri = "http://localhost:5000";
+
+        given(req.getUri())
+            .willReturn(
+                "http://example.com/oauth20/authorize?response_type=code&redirect_uri=" + redirectUri +
+                    "&client_id=" + clientId + "&state=" + state);
+        willReturn("basic").given(authServer.scopeService).getValidScope(null, clientId);
+
+        // WHEN
+        String response = authServer.issueAuthorizationCode(req);
+
+        // THEN
+        verify(authServer).generateCode();
+        assertTrue(response.contains(redirectUri));
+    }
+
     @Test
     public void when_issue_token_and_client_id_not_the_same_as_token_return_error()
             throws Exception {

apifest-oauth20/src/test/java/com/apifest/oauth20/HttpRequestHandlerTest.java

@@ -733,15 +733,15 @@ public void when_get_tokens_and_user_id_is_empty_return_missing_param_user_id()
     }
 
     @Test
-    public void when_get_tokens_client_id_invalid_return_invalid_client_id() throws Exception {
+    public void when_get_tokens_client_id_is_invalid_return_invalid_client_id() throws Exception {
         // GIVEN
         HttpRequest req = mock(HttpRequest.class);
         String userId = "214331231";
         String clientId = "218900b6c8d973881cf4185ecf";
         willReturn(HttpRequestHandler.ACCESS_TOKEN_URI + "?client_id=" + clientId + "&user_id=" + userId).given(req).getUri();
         AuthorizationServer auth = mock(AuthorizationServer.class);
         handler.auth = auth;
-        willReturn(false).given(handler.auth).isActiveClientId(clientId);
+        willReturn(false).given(handler.auth).isExistingClient(clientId);
 
 
         // WHEN