server/oauth2: require scope to be set on /authorize

polarsource · Dec 20, 2024 · d791dd1 · d791dd1
1 parent bfe14d2
commit d791dd1
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/server/polar/oauth2/authorization_server.py b/server/polar/oauth2/authorization_server.py
@@ -6,7  6,10 @@
 import structlog
 from authlib.oauth2 import AuthorizationServer as _AuthorizationServer
 from authlib.oauth2 import OAuth2Error
-from authlib.oauth2.rfc6749.errors import UnsupportedResponseTypeError
 from authlib.oauth2.rfc6749.errors import (
     InvalidScopeError,
     UnsupportedResponseTypeError,
 )
 from authlib.oauth2.rfc6750 import BearerTokenGenerator
 from authlib.oauth2.rfc7009 import RevocationEndpoint as _RevocationEndpoint
 from authlib.oauth2.rfc7591 import (
@@ -278,6  281,14 @@ def build(
         register_grants(authorization_server)
         return authorization_server
 
     def validate_requested_scope(
         self, scope: str | None, state: str | None = None
     ) -> None:
         # We require scope to be provided
         if scope is None:
             raise InvalidScopeError(state=state)
         return super().validate_requested_scope(scope, state)
 
     def query_client(self, client_id: str) -> OAuth2Client | None:
         statement = select(OAuth2Client).where(
             OAuth2Client.deleted_at.is_(None), OAuth2Client.client_id == client_id

diff --git a/server/tests/oauth2/endpoints/test_oauth2.py b/server/tests/oauth2/endpoints/test_oauth2.py
@@ -285,6  285,20 @@ async def test_unauthenticated_prompt_none(
         location = response.headers["location"]
         assert "error=login_required" in location
 
     async def test_unauthenticated_no_scope(
         self, client: AsyncClient, oauth2_client: OAuth2Client
     ) -> None:
         params = {
             "client_id": oauth2_client.client_id,
             "response_type": "code",
             "redirect_uri": "http://127.0.0.1:8000/docs/oauth2-redirect",
         }
         response = await client.get("/v1/oauth2/authorize", params=params)
 
         assert response.status_code == 302
         location = response.headers["location"]
         assert "error=invalid_scope" in location
 
     @pytest.mark.auth
     async def test_authenticated_invalid_sub_type(
         self, client: AsyncClient, oauth2_client: OAuth2Client