1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
def commonCheck(request, mode=b"no-cors"):
if request.headers.get(b"Accept") != b"application/json":
return (531, [], "Wrong Accept")
if request.headers.get(b"Sec-Fetch-Dest") != b"webidentity":
return (532, [], "Wrong Sec-Fetch-Dest header")
if request.headers.get(b"Referer"):
return (533, [], "Should not have Referer")
if request.headers.get(b"Sec-Fetch-Mode") != mode:
return (534, [], "Wrong Sec-Fetch-Mode header")
def commonUncredentialedRequestCheck(request):
if len(request.cookies) > 0:
return (535, [], "Cookie should not be sent to this endpoint")
if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
return (536, [], "Wrong Sec-Fetch-Site header")
def commonCredentialedRequestCheck(request):
if request.cookies.get(b"cookie") != b"1":
return (537, [], "Missing cookie")
if request.headers.get(b"Sec-Fetch-Site") != b"none":
return (538, [], "Wrong Sec-Fetch-Site header")
def commonPostCheck(request):
if not request.headers.get(b"Origin"):
return (540, [], "Missing Origin")
if request.method != "POST":
return (541, [], "Method is not POST")
if request.headers.get(b"Content-Type") != b"application/x-www-form-urlencoded":
return (542, [], "Wrong Content-Type")
if not request.POST.get(b"client_id"):
return (543, [], "Missing 'client_id' POST parameter")
def manifestCheck(request):
common_error = commonCheck(request)
if (common_error):
return common_error
common_uncredentialed_error = commonUncredentialedRequestCheck(request)
if (common_uncredentialed_error):
return common_uncredentialed_error
if request.headers.get(b"Origin"):
return (539, [], "Should not have Origin")
def clientMetadataCheck(request):
if (request.GET.get(b'skip_checks', b'0') != b'1'):
common_error = commonCheck(request)
if (common_error):
return common_error
common_uncredentialed_error = commonUncredentialedRequestCheck(request)
if (common_uncredentialed_error):
return common_uncredentialed_error
if not request.headers.get(b"Origin"):
return (540, [], "Missing Origin")
def accountsCheck(request):
common_error = commonCheck(request)
if (common_error):
return common_error
common_credentialed_error = commonCredentialedRequestCheck(request)
if (common_credentialed_error):
return common_credentialed_error
if request.headers.get(b"Origin"):
return (539, [], "Should not have Origin")
def tokenCheck(request):
common_error = commonCheck(request)
if (common_error):
return common_error
common_credentialed_error = commonCredentialedRequestCheck(request)
if (common_credentialed_error):
return common_credentialed_error
post_error = commonPostCheck(request)
if (post_error):
return post_error
if not request.POST.get(b"account_id"):
return (544, [], "Missing 'account_id' POST parameter")
if not request.POST.get(b"disclosure_text_shown"):
return (545, [], "Missing 'disclosure_text_shown' POST parameter")
def revokeCheck(request):
common_error = commonCheck(request, b"cors")
if (common_error):
return common_error
if request.cookies.get(b"cookie") != b"1":
return (537, [], "Missing cookie")
# The value of the Sec-Fetch-Site header can vary depending on the IdP origin
# but it should not be 'none'.
if request.headers.get(b"Sec-Fetch-Site") == b"none":
return (538, [], "Wrong Sec-Fetch-Site header")
post_error = commonPostCheck(request)
if (post_error):
return post_error
if not request.POST.get(b"account_hint"):
return (544, [], "Missing 'account_hint' POST parameter")
|
