Skip to content

Commit b6de483

Browse files
akanstantsinaudopry
authored andcommitted
Code and docs cleanup
1 parent 0550d93 commit b6de483

File tree

1 file changed

+23
-1
lines changed

1 file changed

+23
-1
lines changed

tests/test_cors.py

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@
2020
# CORS is allowed for https only
2121
CLIENT_URI = "https://example.org"
2222

23+
CLIENT_URI_HTTP = "http://example.org"
24+
2325

2426
@pytest.mark.usefixtures("oauth2_settings")
2527
@pytest.mark.oauth2_settings(presets.DEFAULT_SCOPES_RW)
@@ -39,7 +41,7 @@ def setUp(self):
3941

4042
self.application = Application.objects.create(
4143
name="Test Application",
42-
redirect_uris=(CLIENT_URI),
44+
redirect_uris=CLIENT_URI,
4345
user=self.dev_user,
4446
client_type=Application.CLIENT_CONFIDENTIAL,
4547
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
@@ -85,6 +87,26 @@ def test_cors_header(self):
8587
self.assertEqual(response.status_code, 200)
8688
self.assertEqual(response["Access-Control-Allow-Origin"], CLIENT_URI)
8789

90+
def test_cors_header_no_https(self):
91+
"""
92+
Test that CORS is not allowed if origin uri does not have https:// schema
93+
"""
94+
authorization_code = self._get_authorization_code()
95+
96+
# exchange authorization code for a valid access token
97+
token_request_data = {
98+
"grant_type": "authorization_code",
99+
"code": authorization_code,
100+
"redirect_uri": CLIENT_URI,
101+
}
102+
103+
auth_headers = get_basic_auth_header(self.application.client_id, CLEARTEXT_SECRET)
104+
auth_headers["HTTP_ORIGIN"] = CLIENT_URI_HTTP
105+
response = self.client.post(reverse("oauth2_provider:token"), data=token_request_data, **auth_headers)
106+
107+
self.assertEqual(response.status_code, 200)
108+
self.assertFalse(response.has_header("Access-Control-Allow-Origin"))
109+
88110
def test_no_cors_header_origin_not_allowed(self):
89111
"""
90112
Test that /token endpoint does not have Access-Control-Allow-Origin

0 commit comments

Comments
 (0)