Commits

Éric Araujo  committed e35fbf0

* Strip out OAuth "code" query string parameter from redirect URIs.

  • Participants
  • Parent commits 8dec2f3

Comments (0)

Files changed (2)

File pyramid_facebook/auth.py

 # -*- coding: utf-8 -*-
+import urllib
 import logging
 
 from pyramid.httpexceptions import HTTPForbidden
     def _redirect_to_canvas(self):
         log.debug('redirect to canvas')
         path = self.request.route_path('facebook_canvas')
+        query_string = self.request.GET.copy()
+        query_string.pop('code', None)
         p = {'location': "//apps.facebook.com%s?%s" % (
             path,
-            # we could filter out "code" and "error*" fields
-            self.request.query_string,
+            # we could filter out "error*" fields
+            urllib.urlencode(query_string),
             )}
         return Response(js_redirect_tpl % p)
 

File pyramid_facebook/tests/unittests/test_auth.py

 
 class TestFacebookOauth(unittest.TestCase):
 
+    maxDiff = None
+
     def test_init(self):
         from pyramid_facebook.auth import FacebookCanvasOAuth
         request = mock.MagicMock()
 
         request = mock.MagicMock()
         request.scheme = 'http'
-        request.query_string = 'spam=ham'
+        request.GET = {'spam': 'ham', 'code': '2342342345gibberish'}
         request.route_path.return_value = '/facebook'
         request.registry.settings = settings
 
 
         request = mock.MagicMock()
         request.scheme = 'http'
-        request.query_string = 'spam=ham'
+        request.GET = {'spam': 'ham'}
         request.route_path.return_value = '/facebook'
         request.registry.settings = settings