Add codespell support: config + workflow to catch new typos, let it fix some (#1392)

* Add rudimentary codespell config

* Add pre-commit definition for codespell

Includes also squashed

- [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

- Unfortunately due to bug in codespell we need to duplicate some skipped paths for pre-commit config

* Add pragma handling to ignore for codespell and ignore a line with a key

* [DATALAD RUNCMD] run codespell throughout fixing typos automagically

=== Do not change lines below ===
{
 "chain": [],
 "cmd": "codespell -w",
 "exit": 0,
 "extra_inputs": [],
 "inputs": [],
 "outputs": [],
 "pwd": "."
}
^^^ Do not change lines above ^^^

* Added author

---------

Co-authored-by: Alan Crosswell <[email protected]>

Author: yarikoptic

.pre-commit-config.yaml

@@ -29,3 +29,11 @@ repos:
     rev: v0.9.1
     hooks:
       - id: sphinx-lint
+  # Configuration for codespell is in pyproject.toml
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.6
+    hooks:
+    - id: codespell
+      exclude: (package-lock.json|/locale/)
+      additional_dependencies:
+      - tomli

AUTHORS

@@ -110,4 +110,5 @@ Will Beaufoy
 pySilver
 Łukasz Skarżyński
 Wouter Klein Heerenbrink
+Yaroslav Halchenko
 Yuri Savin

CHANGELOG.md

@@ -31,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
-* #1249 Add code_challenge_methods_supported property to auto discovery informations, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
+* #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
 
 
 ### Fixed
@@ -144,7 +144,7 @@ This is a major release with **BREAKING** changes. Please make sure to review th
 
 ### Added
 * #969 Add batching of expired token deletions in `cleartokens` management command and `models.clear_expired()`
-  to improve performance for removal of large numers of expired tokens. Configure with
+  to improve performance for removal of large numbers of expired tokens. Configure with
   [`CLEAR_EXPIRED_TOKENS_BATCH_SIZE`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-size) and
   [`CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-interval).
 * #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a [periodic task](https://docs.celeryproject.org/en/stable/userguide/periodic-tasks.html).
@@ -229,7 +229,7 @@ This is a major release with **BREAKING** changes. Please make sure to review th
 
 ### Added
 * #917 Documentation improvement for Access Token expiration.
-* #916 (for DOT contributors) Added `tox -e livedocs` which launches a local web server on `locahost:8000`
+* #916 (for DOT contributors) Added `tox -e livedocs` which launches a local web server on `localhost:8000`
   to display Sphinx documentation with live updates as you edit.
 * #891 (for DOT contributors) Added [details](https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html)
   on how best to contribute to this project.
@@ -434,7 +434,7 @@ This is a major release with **BREAKING** changes. Please make sure to review th
 * #185: fixed vulnerabilities on Basic authentication
 * #173: ProtectResourceMixin now allows OPTIONS requests
 * Fixed `client_id` and `client_secret` characters set
-* #169: hide sensitive informations in error emails
+* #169: hide sensitive information in error emails
 * #161: extend search to all token types when revoking a token
 * #160: return empty response on successful token revocation
 * #157: skip authorization form with ``skip_authorization_completely`` class field

docs/getting_started.rst

@@ -111,7 +111,7 @@ Configure ``users.User`` to be the model used for the ``auth`` application by ad
 
     AUTH_USER_MODEL = 'users.User'
 
-Create inital migration for ``users`` application ``User`` model::
+Create initial migration for ``users`` application ``User`` model::
 
     python manage.py makemigrations
 

docs/oidc.rst

@@ -34,7 +34,7 @@ that must be provided. ``django-oauth-toolkit`` supports two different
 algorithms for signing JWT tokens, ``RS256``, which uses asymmetric RSA keys (a
 public key and a private key), and ``HS256``, which uses a symmetric key.
 
-It is preferrable to use ``RS256``, because this produces a token that can be
+It is preferable to use ``RS256``, because this produces a token that can be
 verified by anyone using the public key (which is made available and
 discoverable by OIDC service auto-discovery, included with
 ``django-oauth-toolkit``). ``HS256`` on the other hand uses the
@@ -372,7 +372,7 @@ for a POST request.
 
 Again, to modify the content delivered, we need to add a function to our
 custom validator. The default implementation adds the claims from the ID
-token, so you will probably want to re-use that::
+token, so you will probably want to reuse that::
 
     class CustomOAuth2Validator(OAuth2Validator):
 

docs/tutorial/tutorial_01.rst

@@ -82,7 +82,7 @@ Let's register your application.
 
 You need to be logged in before registration. So, go to http://localhost:8000/admin and log in. After that
 point your browser to http://localhost:8000/o/applications/ and add an Application instance.
-`Client id` and `Client Secret` are automatically generated; you have to provide the rest of the informations:
+`Client id` and `Client Secret` are automatically generated; you have to provide the rest of the information:
 
  * `User`: the owner of the Application (e.g. a developer, or the currently logged in user.)
 

docs/tutorial/tutorial_04.rst

@@ -36,7 +36,7 @@ obtained in :doc:`part 1 <tutorial_01>`. If your application type is `Confidenti
     token=XXXX&client_id=XXXX&client_secret=XXXX
 
 
-The server will respond wih a ``200`` status code on successful revocation. You can use ``curl`` to make a revoke request on your server. If you have access to a local installation of your authorization server, you can test revoking a token with a request like that shown below, for a `Confidential` client.
+The server will respond with a ``200`` status code on successful revocation. You can use ``curl`` to make a revoke request on your server. If you have access to a local installation of your authorization server, you can test revoking a token with a request like that shown below, for a `Confidential` client.
 
 ::
 

oauth2_provider/contrib/rest_framework/permissions.py

@@ -107,7 +107,7 @@ class IsAuthenticatedOrTokenHasScope(BasePermission):
     This only returns True if the user is authenticated, but not using a token
     or using a token, and the token has the correct scope.
 
-    This is usefull when combined with the DjangoModelPermissions to allow people browse
+    This is useful when combined with the DjangoModelPermissions to allow people browse
     the browsable api's if they log in using the a non token bassed middleware,
     and let them access the api's using a rest client with a token
     """

oauth2_provider/oauth2_validators.py

@@ -104,10 +104,10 @@ def _extract_basic_auth(self, request):
         if not auth:
             return None
 
-        splitted = auth.split(" ", 1)
-        if len(splitted) != 2:
+        split = auth.split(" ", 1)
+        if len(split) != 2:
             return None
-        auth_type, auth_string = splitted
+        auth_type, auth_string = split
 
         if auth_type != "Basic":
             return None
@@ -927,7 +927,7 @@ def _get_client_by_audience(self, audience):
         return Application.objects.filter(client_id__in=audience).first()
 
     def validate_user_match(self, id_token_hint, scopes, claims, request):
-        # TODO: Fix to validate when necessary acording
+        # TODO: Fix to validate when necessary according
         # https://github.com/idan/oauthlib/blob/master/oauthlib/oauth2/rfc6749/request_validator.py#L556
         # http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest id_token_hint section
         return True

oauth2_provider/views/base.py

@@ -77,10 +77,10 @@ class AuthorizationView(BaseAuthorizationView, FormView):
 
     * then receive a ``POST`` request possibly after user authorized the access
 
-    Some informations contained in the ``GET`` request and needed to create a Grant token during
+    Some information contained in the ``GET`` request and needed to create a Grant token during
     the ``POST`` request would be lost between the two steps above, so they are temporarily stored in
     hidden fields on the form.
-    A possible alternative could be keeping such informations in the session.
+    A possible alternative could be keeping such information in the session.
 
     The endpoint is used in the following flows:
     * Authorization code