Fixed optional for redirect_uri under code authorization

Author: LyricTian

manage/manage_test.go

@@ -18,7 +18,7 @@ func TestManager(t *testing.T) {
 		manager.MustTokenStorage(store.NewMemoryTokenStore())
 
 		clientStore := store.NewClientStore()
-		clientStore.Set("1", &models.Client{
+		_ = clientStore.Set("1", &models.Client{
 			ID:     "1",
 			Secret: "11",
 			Domain: "http://localhost",

manage/manager.go

@@ -144,9 +144,11 @@ func (m *Manager) GenerateAuthToken(rt oauth2.ResponseType, tgr *oauth2.TokenGen
 	cli, err := m.GetClient(tgr.ClientID)
 	if err != nil {
 		return
-	} else if verr := m.validateURI(cli.GetDomain(), tgr.RedirectURI); verr != nil {
-		err = verr
-		return
+	} else if tgr.RedirectURI != "" {
+		if verr := m.validateURI(cli.GetDomain(), tgr.RedirectURI); verr != nil {
+			err = verr
+			return
+		}
 	}
 
 	ti := models.NewToken()
@@ -236,17 +238,46 @@ func (m *Manager) delAuthorizationCode(code string) (err error) {
 	return
 }
 
+// get and delete authorization code data
+func (m *Manager) getAndDelAuthorizationCode(tgr *oauth2.TokenGenerateRequest) (info oauth2.TokenInfo, err error) {
+	code := tgr.Code
+	ti, err := m.getAuthorizationCode(code)
+	if err != nil {
+		return
+	} else if ti.GetClientID() != tgr.ClientID {
+		err = errors.ErrInvalidAuthorizeCode
+		return
+	} else if codeURI := ti.GetRedirectURI(); codeURI != "" && codeURI != tgr.RedirectURI {
+		err = errors.ErrInvalidAuthorizeCode
+		return
+	}
+
+	err = m.delAuthorizationCode(code)
+	if err != nil {
+		return
+	}
+	info = ti
+	return
+}
+
 // GenerateAccessToken generate the access token
 func (m *Manager) GenerateAccessToken(gt oauth2.GrantType, tgr *oauth2.TokenGenerateRequest) (accessToken oauth2.TokenInfo, err error) {
-	if gt == oauth2.AuthorizationCode {
-		ti, terr := m.getAuthorizationCode(tgr.Code)
-		if terr != nil {
-			err = terr
-			return
-		} else if ti.GetRedirectURI() != tgr.RedirectURI || ti.GetClientID() != tgr.ClientID {
-			err = errors.ErrInvalidAuthorizeCode
+	cli, err := m.GetClient(tgr.ClientID)
+	if err != nil {
+		return
+	} else if tgr.ClientSecret != cli.GetSecret() {
+		err = errors.ErrInvalidClient
+		return
+	} else if tgr.RedirectURI != "" {
+		if verr := m.validateURI(cli.GetDomain(), tgr.RedirectURI); verr != nil {
+			err = verr
 			return
-		} else if verr := m.delAuthorizationCode(tgr.Code); verr != nil {
+		}
+	}
+
+	if gt == oauth2.AuthorizationCode {
+		ti, verr := m.getAndDelAuthorizationCode(tgr)
+		if verr != nil {
 			err = verr
 			return
 		}
@@ -257,14 +288,6 @@ func (m *Manager) GenerateAccessToken(gt oauth2.GrantType, tgr *oauth2.TokenGene
 		}
 	}
 
-	cli, err := m.GetClient(tgr.ClientID)
-	if err != nil {
-		return
-	} else if tgr.ClientSecret != cli.GetSecret() {
-		err = errors.ErrInvalidClient
-		return
-	}
-
 	ti := models.NewToken()
 	ti.SetClientID(tgr.ClientID)
 	ti.SetUserID(tgr.UserID)

server/server.go

@@ -148,8 +148,7 @@ func (s *Server) ValidationAuthorizeRequest(r *http.Request) (req *AuthorizeRequ
 	redirectURI := r.FormValue("redirect_uri")
 	clientID := r.FormValue("client_id")
 	if !(r.Method == "GET" || r.Method == "POST") ||
-		clientID == "" ||
-		redirectURI == "" {
+		clientID == "" {
 		err = errors.ErrInvalidRequest
 		return
 	}
@@ -282,6 +281,16 @@ func (s *Server) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	// If the redirect URI is empty, the default domain provided by the client is used.
+	if req.RedirectURI == "" {
+		client, verr := s.Manager.GetClient(req.ClientID)
+		if verr != nil {
+			err = verr
+			return
+		}
+		req.RedirectURI = client.GetDomain()
+	}
+
 	err = s.redirect(w, req, s.GetAuthorizeData(req.ResponseType, ti))
 	return
 }