Code and docs cleanup

Author: akanstantsinau

docs/tutorial/tutorial_01.rst

@@ -91,8 +91,8 @@ point your browser to http://localhost:8000/o/applications/ and add an Applicati
    specifies one of the verified redirection uris. For this tutorial, paste verbatim the value
    `https://www.getpostman.com/oauth2/callback`
 
- * `Allowed origins`: Web applications use Cross-Origin Resource Sharing (CORS) to request resources from origins other
-   than their own. You can provide list of origins of web applications that will have access to the token endpoint
+ * `Allowed origins`: Browser-based clients use Cross-Origin Resource Sharing (CORS) to request resources from origins other
+   than their own. You can provide list of origins that will have access to the token endpoint
    of :term:`Authorization Server`. This setting controls only token endpoint and it is not related
    with Django CORS Headers settings.
 

oauth2_provider/oauth2_backends.py

@@ -75,7 +75,8 @@ def extract_headers(self, request):
             del headers["wsgi.errors"]
         if "HTTP_AUTHORIZATION" in headers:
             headers["Authorization"] = headers["HTTP_AUTHORIZATION"]
-        # Add Access-Control-Allow-Origin header to the token endpoint response for authentication code grant, if the origin is allowed by RequestValidator.is_origin_allowed.
+        # Add Access-Control-Allow-Origin header to the token endpoint response for authentication code grant,
+        # if the origin is allowed by RequestValidator.is_origin_allowed.
         # https://github.com/oauthlib/oauthlib/pull/791
         if "HTTP_ORIGIN" in headers:
             headers["Origin"] = headers["HTTP_ORIGIN"]

oauth2_provider/oauth2_validators.py

@@ -960,10 +960,11 @@ def get_additional_claims(self, request):
         return {}
 
     def is_origin_allowed(self, client_id, origin, request, *args, **kwargs):
-        if request.client is None or not request.client.client_id:
-            return False
-        application = Application.objects.filter(client_id=request.client.client_id).first()
-        if application:
-            return application.origin_allowed(origin)
-        else:
-            return False
+        """Indicate if the given origin is allowed to access the token endpoint
+        via Cross-Origin Resource Sharing (CORS).  CORS is used by browser-based
+        clients, such as Single-Page Applications, to perform the Authorization
+        Code Grant.
+
+        Verifies if request's origin is within Application's allowed origins list.
+        """
+        return request.client.origin_allowed(origin)

tests/test_cors.py

@@ -20,6 +20,8 @@
 # CORS is allowed for https only
 CLIENT_URI = "https://example.org"
 
+CLIENT_URI_HTTP = "http://example.org"
+
 
 @pytest.mark.usefixtures("oauth2_settings")
 @pytest.mark.oauth2_settings(presets.DEFAULT_SCOPES_RW)
@@ -39,7 +41,7 @@ def setUp(self):
 
         self.application = Application.objects.create(
             name="Test Application",
-            redirect_uris=(CLIENT_URI),
+            redirect_uris=CLIENT_URI,
             user=self.dev_user,
             client_type=Application.CLIENT_CONFIDENTIAL,
             authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
@@ -85,6 +87,26 @@ def test_cors_header(self):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response["Access-Control-Allow-Origin"], CLIENT_URI)
 
+    def test_cors_header_no_https(self):
+        """
+        Test that CORS is not allowed if origin uri does not have https:// schema
+        """
+        authorization_code = self._get_authorization_code()
+
+        # exchange authorization code for a valid access token
+        token_request_data = {
+            "grant_type": "authorization_code",
+            "code": authorization_code,
+            "redirect_uri": CLIENT_URI,
+        }
+
+        auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
+        auth_headers["HTTP_ORIGIN"] = CLIENT_URI_HTTP
+        response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertFalse(response.has_header("Access-Control-Allow-Origin"))
+
     def test_no_cors_header_origin_not_allowed(self):
         """
         Test that /token endpoint does not have Access-Control-Allow-Origin