Less-zealous redirect_uri normalization (#666)

jonthegeek · web-flow · commit c8d39aa7372b · 2025-02-08T08:23:24.000-06:00
Closes #646
diff --git a/NEWS.md b/NEWS.md
@@ -7,6 +7,7 @@
 * `req_headers_redacted()` supports dynamic dots (#647)
 * `resp_stream_sse()` now automatically retrieves the next event if the current event contains no data. The data is now returned as a single string (#650).
 * `aws_v4_signature()` now works if url contains query parameters (@jeffreyzuber, #645).
+* `req_oauth_auth_code()` no longer adds trailing "/" characters to well-formed `redirect_uri` values (@jonthegeek, #646).
 
 # httr2 1.1.0
 
diff --git a/R/oauth-flow-auth-code.R b/R/oauth-flow-auth-code.R
@@ -209,7 +209,7 @@ normalize_redirect_uri <- function(redirect_uri,
                                    port = deprecated(),
                                    error_call = caller_env()) {
 
-  parsed <- url_parse(redirect_uri)
+  old <- parsed <- url_parse(redirect_uri)
 
   if (lifecycle::is_present(host_name)) {
     lifecycle::deprecate_warn(
@@ -250,7 +250,7 @@ normalize_redirect_uri <- function(redirect_uri,
   }
 
   list(
-    uri = url_build(parsed),
+    uri = if (identical(old, parsed)) redirect_uri else url_build(parsed),
     localhost = localhost,
     can_fetch_code = can_fetch_oauth_code(redirect_uri)
   )
diff --git a/tests/testthat/test-oauth-flow-auth-code.R b/tests/testthat/test-oauth-flow-auth-code.R
@@ -88,6 +88,15 @@ test_that("old args are deprecated", {
 
 })
 
+test_that("urls left as is if not changes needed", {
+  # Allow tests to run when is_hosted_session() is TRUE.
+  local_mocked_bindings(is_hosted_session = function() FALSE)
+
+  original_uri <- "http://localhost:8080"
+  normalized_uri <- normalize_redirect_uri(original_uri)
+  expect_equal(normalized_uri$uri, original_uri)
+})
+
 # ouath_flow_auth_code_parse ----------------------------------------------
 
 test_that("forwards oauth error", {
@@ -125,6 +134,7 @@ test_that("external auth code sources are detected correctly", {
 
 test_that("auth codes can be retrieved from an external source", {
   skip_on_cran()
+  local_mocked_bindings(sys_sleep = function(...) {})
 
   req <- local_app_request(function(req, res) {
     # Error on first, and then respond on second

Original file line number	Diff line number	Diff line change
`@@ -209,7 +209,7 @@ normalize_redirect_uri <- function(redirect_uri,`
`209`	`209`	`port = deprecated(),`
`210`	`210`	`error_call = caller_env()) {`
`211`	`211`
`212`		`- parsed <- url_parse(redirect_uri)`
	`212`	`+ old <- parsed <- url_parse(redirect_uri)`
`213`	`213`
`214`	`214`	`if (lifecycle::is_present(host_name)) {`
`215`	`215`	`lifecycle::deprecate_warn(`
`@@ -250,7 +250,7 @@ normalize_redirect_uri <- function(redirect_uri,`
`250`	`250`	`}`
`251`	`251`
`252`	`252`	`list(`
`253`		`- uri = url_build(parsed),`
	`253`	`+ uri = if (identical(old, parsed)) redirect_uri else url_build(parsed),`
`254`	`254`	`localhost = localhost,`
`255`	`255`	`can_fetch_code = can_fetch_oauth_code(redirect_uri)`
`256`	`256`	`)`