Fix unknown pkce method error when configured #1747
Conversation
config/locales/en.yml
Outdated
| @@ -100,7 +100,7 @@ en: | |||
| unauthorized_client: 'The client is not authorized to perform this request using this method.' | |||
| access_denied: 'The resource owner or authorization server denied the request.' | |||
| invalid_scope: 'The requested scope is invalid, unknown, or malformed.' | |||
| invalid_code_challenge_method: 'The code challenge method must be plain or S256.' | |||
| invalid_code_challenge_method: 'The code challenge method must be one of %{challenge_methods}.' | |||
There was a problem hiding this comment.
This could probably use some tweaking, just let me know how you think this should read.
There was a problem hiding this comment.
You'd probably want to use the one / other syntax here..
| invalid_code_challenge_method: 'The code challenge method must be one of %{challenge_methods}.' | |
| invalid_code_challenge_method: | |
| one: 'The code challenge method must be %{challenge_methods}.' | |
| other: 'The code challenge method must be one of %{challenge_methods}.' |
Which would need a count on challenge_methods, iirc. count is magic in that it decides whether to pick one or other
There was a problem hiding this comment.
Awesome suggestions, I went ahead and updated in ccc9773
| @@ -12,6 +12,7 @@ def self.from_request(request, attributes = {}) | |||
| attributes.merge( | |||
| name: error_name_for(request.error), | |||
| exception_class: exception_class_for(request.error), | |||
| translate_options: request.error.try(:translate_options), | |||
There was a problem hiding this comment.
I was not completely confident what classes request.error are expected here. I can remove the try if we always expect to receive a DoorkeeperError here.
There was a problem hiding this comment.
Maybe there's a default that can be set? grab :translate_options or fallback to {}
There was a problem hiding this comment.
I default it here in error.rb because that caught all the usages of Error in one place.
There was a problem hiding this comment.
More thinking of if the Error somehow doesn't derive from Doorkeeper::OAuth::Error, e.g., it comes from activerecord or something
lib/doorkeeper/errors.rb
Outdated
| class InvalidCodeChallengeMethod < BaseResponseError | ||
| def self.translate_options | ||
| { | ||
| challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", ") |
There was a problem hiding this comment.
Re: pluralisation in https://github.com/doorkeeper-gem/doorkeeper/pull/1747/files#r1825345954
| challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", ") | |
| challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", "), | |
| count: Doorkeeper.config.pkce_code_challenge_methods_supported.length |
There was a problem hiding this comment.
Thanks, used this in ccc9773
spec/lib/oauth/error_spec.rb
Outdated
| context "when there are variables" do | ||
| subject(:error) do | ||
| described_class.new( | ||
| :invalid_code_challenge_method, | ||
| :some_state, | ||
| { | ||
| challenge_methods: "foo, bar" | ||
| } | ||
| ) | ||
| end | ||
|
|
||
| it "is translated from translation messages with variables" do | ||
| expect(error.description).to eq("The code challenge method must be one of foo, bar.") | ||
| end | ||
| end |
There was a problem hiding this comment.
We should have a test case for the "one" option, i.e., just "foo" not "foo, bar"
(this likely more applies to pre_authorization_spec.
There was a problem hiding this comment.
I added a test for %w(foo) and [] in ccc9773
config/locales/en.yml
Outdated
| @@ -100,7 +100,10 @@ en: | |||
| unauthorized_client: 'The client is not authorized to perform this request using this method.' | |||
| access_denied: 'The resource owner or authorization server denied the request.' | |||
| invalid_scope: 'The requested scope is invalid, unknown, or malformed.' | |||
| invalid_code_challenge_method: 'The code challenge method must be plain or S256.' | |||
| invalid_code_challenge_method: | |||
| zero: 'There are no acceptable code_challenge methods' | |||
There was a problem hiding this comment.
this should never be reachable, but if it is, say
| zero: 'There are no acceptable code_challenge methods' | |
| zero: 'This authorization server does not support PKCE as there a no accepted code_challenge methods' |
Would be better?
There was a problem hiding this comment.
That is better, tweaked it just a little bit to align with other messages and updated in f042917
| attributes[:code_challenge_method] = "plain" | ||
|
|
||
| expect(pre_auth).to_not be_authorizable | ||
| expect(pre_auth.error_response.description).to eq("There are no acceptable code_challenge methods") |
There was a problem hiding this comment.
Also, we should use code_challenge or code challenge consistently.
There was a problem hiding this comment.
Good catch, this comment made me realize that we should probably be calling it code_challenge_method since that is the actual param, so I made that change in d244e69
config/locales/en.yml
Outdated
| @@ -100,7 +100,10 @@ en: | |||
| unauthorized_client: 'The client is not authorized to perform this request using this method.' | |||
| access_denied: 'The resource owner or authorization server denied the request.' | |||
| invalid_scope: 'The requested scope is invalid, unknown, or malformed.' | |||
| invalid_code_challenge_method: 'The code challenge method must be plain or S256.' | |||
| invalid_code_challenge_method: | |||
| zero: 'The authorization server does not support PKCE as there is no accepted code_challenge_method' | |||
There was a problem hiding this comment.
| zero: 'The authorization server does not support PKCE as there is no accepted code_challenge_method' | |
| zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.' |
There was a problem hiding this comment.
I updated this message in 7e2bf4b
Summary
I am upgrading to get the configuration update from #1735 but noticed that the error message is not correct when it is configured in that it makes it sound like we accept
plain.#1746