Merge branch 'master' into master

Author: GuilloOme

.travis.yml

@@ -4,6 +4,7 @@ python:
     - "2.7"
     - "3.4"
     - "3.5"
+    - "3.6"
     - "pypy"
 
 script:

CHANGES.rst

@@ -3,6 +3,15 @@ Changelog
 
 Here you can see the full list of changes between each Flask-OAuthlib release.
 
+Version 0.9.5
+-------------
+
+Released on May 16, 2018
+
+- Fix error handlers
+- Update supported OAuthlib
+- Add support for string type token
+
 Version 0.9.4
 -------------
 

README.rst

@@ -17,11 +17,10 @@ Flask-OAuthlib
    :target: https://coveralls.io/r/lepture/flask-oauthlib
    :alt: Coverage Status
 
-Notification
-------------
+Notice
+------
 
-I'm working on https://github.com/lepture/authlib which will
-be the replacement of this project.
+**If you are a company, you should use https://github.com/lepture/authlib instead**.
 
 =====
 

docs/_templates/sidebarintro.html

@@ -1,3 +1,6 @@
+<h3>Notice</h3>
+<p>Flask-OAuthlib is not maintained well. Please use <strong><a href="https://authlib.org/">Authlib</a></strong> instead.</p>
+
 <h3>Feedback</h3>
 <p>Feedback is greatly appreciated. If you have any questions, comments, random praise, or anymous threats, <a href="mailto:[email protected]">shoot me an email</a>.</p>
 

docs/client.rst

@@ -1,6 +1,10 @@
 Client
 ======
 
+.. note::
+
+    Please read https://docs.authlib.org/en/latest/client/frameworks.html
+
 The client part keeps the same API as `Flask-OAuth`_. The only changes are
 the imports::
 

docs/index.rst

@@ -14,6 +14,10 @@ oauthlib_.
 The client part of Flask-OAuthlib shares the same API as Flask-OAuth,
 which is pretty and simple.
 
+.. warning::
+
+    Please use https://github.com/lepture/authlib instead.
+
 
 Features
 --------

docs/oauth1.rst

@@ -1,6 +1,10 @@
 OAuth1 Server
 =============
 
+.. note::
+
+    Please read https://docs.authlib.org/en/latest/flask/oauth1.html
+
 This part of documentation covers the tutorial of setting up an OAuth1
 provider. An OAuth1 server concerns how to grant the authorization and
 how to protect the resource. Register an **OAuth** provider::

docs/oauth2.rst

@@ -3,6 +3,10 @@
 OAuth2 Server
 =============
 
+.. note::
+
+    Please read https://docs.authlib.org/en/latest/flask/oauth2.html
+
 An OAuth2 server concerns how to grant the authorization and how to protect
 the resource. Register an **OAuth** provider::
 
@@ -495,5 +499,5 @@ Example for OAuth 2
 An example server (and client) can be found in the tests folder: https://github.com/lepture/flask-oauthlib/tree/master/tests/oauth2
 
 Other helpful resources include: 
- - Another example of an OAuth 2 server: https://github.com/lepture/example-oauth2-server
+ - Another example of an OAuth 2 server: https://github.com/authlib/example-oauth2-server
  - An article on how to create an OAuth server: http://lepture.com/en/2013/create-oauth-server.

flask_oauthlib/__init__.py

@@ -7,11 +7,11 @@
     remote OAuth enabled applications, and also helps you creating your own
     OAuth servers.
 
-    :copyright: (c) 2013 - 2017 by Hsiaoming Yang.
+    :copyright: (c) 2013 by Hsiaoming Yang.
     :license: BSD, see LICENSE for more details.
 """
 
-__version__ = "0.9.4"
+__version__ = "0.9.5"
 __author__ = "Hsiaoming Yang <[email protected]>"
 __homepage__ = 'https://github.com/lepture/flask-oauthlib'
 __license__ = 'BSD'

flask_oauthlib/provider/oauth2.py

@@ -69,11 +69,12 @@ def user():
             return jsonify(request.oauth.user)
     """
 
-    def __init__(self, app=None):
+    def __init__(self, app=None, validator_class=None):
         self._before_request_funcs = []
         self._after_request_funcs = []
         self._exception_handler = None
         self._invalid_response = None
+        self._validator_class = validator_class
         if app:
             self.init_app(app)
 
@@ -163,7 +164,10 @@ def validate_client_id(self, client_id):
             if hasattr(self, '_usergetter'):
                 usergetter = self._usergetter
 
-            validator = OAuth2RequestValidator(
+            validator_class = self._validator_class
+            if validator_class is None:
+                validator_class = OAuth2RequestValidator
+            validator = validator_class(
                 clientgetter=self._clientgetter,
                 tokengetter=self._tokengetter,
                 grantgetter=self._grantgetter,
@@ -430,7 +434,12 @@ def decorated(*args, **kwargs):
                     return self._on_exception(e, e.in_uri(self.error_uri))
                 except oauth2.OAuth2Error as e:
                     log.debug('OAuth2Error: %r', e, exc_info=True)
+                    # on auth error, we should preserve state if it's present according to RFC 6749
+                    state = request.values.get('state')
+                    if state and not e.state:
+                        e.state = state  # set e.state so e.in_uri() can add the state query parameter to redirect uri
                     return self._on_exception(e, e.in_uri(redirect_uri))
+
                 except Exception as e:
                     log.exception(e)
                     return self._on_exception(e, add_params_to_uri(
@@ -449,6 +458,10 @@ def decorated(*args, **kwargs):
                 return self._on_exception(e, e.in_uri(self.error_uri))
             except oauth2.OAuth2Error as e:
                 log.debug('OAuth2Error: %r', e, exc_info=True)
+                # on auth error, we should preserve state if it's present according to RFC 6749
+                state = request.values.get('state')
+                if state and not e.state:
+                    e.state = state  # set e.state so e.in_uri() can add the state query parameter to redirect uri
                 return self._on_exception(e, e.in_uri(redirect_uri))
 
             if not isinstance(rv, bool):
@@ -457,8 +470,9 @@ def decorated(*args, **kwargs):
 
             if not rv:
                 # denied by user
-                e = oauth2.AccessDeniedError()
+                e = oauth2.AccessDeniedError(state=request.values.get('state'))
                 return self._on_exception(e, e.in_uri(redirect_uri))
+              
             return self.confirm_authorization_request()
         return decorated
 
@@ -488,6 +502,11 @@ def confirm_authorization_request(self):
             return self._on_exception(e, e.in_uri(self.error_uri))
         except oauth2.OAuth2Error as e:
             log.debug('OAuth2Error: %r', e, exc_info=True)
+            
+            # on auth error, we should preserve state if it's present according to RFC 6749
+            state = request.values.get('state')
+            if state and not e.state:
+                e.state = state  # set e.state so e.in_uri() can add the state query parameter to redirect uri
             return self._on_exception(e, e.in_uri(redirect_uri or self.error_uri))
         except Exception as e:
             log.exception(e)

requirements.txt

@@ -1,5 +1,5 @@
-Flask==0.11.1
+Flask==0.12.2
 mock==2.0.0
-oauthlib==1.1.2
-requests-oauthlib==0.6.2
+oauthlib==2.0.6
+requests-oauthlib==0.8.0
 Flask-SQLAlchemy==2.1

setup.py

@@ -43,7 +43,7 @@ def fread(filename):
     license='BSD',
     install_requires=[
         'Flask',
-        'oauthlib>=1.1.2',
+        'oauthlib>=1.1.2,!=2.0.3,!=2.0.4,!=2.0.5,<3.0.0',
         'requests-oauthlib>=0.6.2',
     ],
     tests_require=['nose', 'Flask-SQLAlchemy', 'mock'],

tests/_base.py

@@ -32,7 +32,8 @@ def setUp(self):
             'OAUTH1_PROVIDER_ENFORCE_SSL': False,
             'OAUTH1_PROVIDER_KEY_LENGTH': (3, 30),
             'OAUTH1_PROVIDER_REALMS': ['email', 'address'],
-            'SQLALCHEMY_DATABASE_URI': 'sqlite:///%s' % self.db_file
+            'SQLALCHEMY_DATABASE_URI': 'sqlite:///%s' % self.db_file,
+            'SQLALCHEMY_TRACK_MODIFICATIONS': False
         }
         app.config.update(config)
 

tests/oauth2/test_oauth2.py

@@ -81,12 +81,21 @@ def test_oauth_authorize_valid_url(self):
         assert 'code=' in rv.location
         assert 'state' not in rv.location
 
-        # test state
+        # test state on access denied
+        # According to RFC 6749, state should be preserved on error response if it's present in the client request.
+        # Reference: https://tools.ietf.org/html/rfc6749#section-4.1.2
+        rv = self.client.post(authorize_url + '&state=foo', data=dict(
+            confirm='no'
+        ))
+        assert 'error=access_denied' in rv.location
+        assert 'state=foo' in rv.location
+
+        # test state on success
         rv = self.client.post(authorize_url + '&state=foo', data=dict(
             confirm='yes'
         ))
         assert 'code=' in rv.location
-        assert 'state' in rv.location
+        assert 'state=foo' in rv.location
 
     def test_http_head_oauth_authorize_valid_url(self):
         rv = self.client.head(authorize_url)

tests/test_oauth2/base.py

@@ -313,6 +313,7 @@ def create_app(self):
         app.debug = True
         app.secret_key = 'testing'
         app.config.update({
-            'SQLALCHEMY_DATABASE_URI': 'sqlite://'
+            'SQLALCHEMY_DATABASE_URI': 'sqlite://',
+            'SQLALCHEMY_TRACK_MODIFICATIONS': False
         })
         return app

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = py27,py33,py34,py35,pypy
+envlist = py27,py33,py34,py35,py36,pypy
 
 [testenv]
 deps =