Use 400 and 401 error codes as OAuth2 documents, accept 400 as webfinger error code (#597)

2024-06-02 21:39:28 +00:00 · 2023-07-10 19:19:20 +03:00 · 2023-07-10 19:19:20 +03:00 · 1cc9c16b8c
parent 91cf2f3a30
commit 1cc9c16b8c
2 changed files with 7 additions and 2 deletions
--- a/api/views/oauth.py
+++ b/api/views/oauth.py
@ -73,6 +73,7 @@ class AuthorizationView(LoginRequiredMixin, View):
                request,
                "api/oauth_error.html",
                {"error": f"Invalid response type '{response_type}'"},
+                status=400,
            )

        application = Application.objects.filter(
@ -81,7 +82,10 @@ class AuthorizationView(LoginRequiredMixin, View):

        if application is None:
            return render(
-                request, "api/oauth_error.html", {"error": "Invalid client_id"}
+                request,
+                "api/oauth_error.html",
+                {"error": "Invalid client_id"},
+                status=400,
            )

        if application.redirect_uris and redirect_uri not in application.redirect_uris:
@ -89,6 +93,7 @@ class AuthorizationView(LoginRequiredMixin, View):
                request,
                "api/oauth_error.html",
                {"error": "Invalid application redirect URI"},
+                status=401,
            )

        context = {
--- a/users/models/identity.py
+++ b/users/models/identity.py
@ -697,7 +697,7 @@ class Identity(StatorModel):
                if (
                    response
                    and response.status_code < 500
-                    and response.status_code not in [401, 403, 404, 406, 410]
+                    and response.status_code not in [400, 401, 403, 404, 406, 410]
                ):
                    raise ValueError(
                        f"Client error fetching webfinger: {response.status_code}",