Skip to content

Commit 357e200

Browse files
author
Steve Riesenberg
committed
Merge branch '1.1.x'
Closes gh-1318
2 parents 509b332 + 215c101 commit 357e200

File tree

5 files changed

+35
-3
lines changed

5 files changed

+35
-3
lines changed

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverter.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ public Authentication convert(HttpServletRequest request) {
8080

8181
// user_code (REQUIRED)
8282
String userCode = parameters.getFirst(OAuth2ParameterNames.USER_CODE);
83-
if (!StringUtils.hasText(userCode) ||
83+
if (!OAuth2EndpointUtils.validateUserCode(userCode) ||
8484
parameters.get(OAuth2ParameterNames.USER_CODE).size() != 1) {
8585
OAuth2EndpointUtils.throwError(
8686
OAuth2ErrorCodes.INVALID_REQUEST,

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceVerificationAuthenticationConverter.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@
3030
import org.springframework.security.oauth2.server.authorization.web.OAuth2DeviceVerificationEndpointFilter;
3131
import org.springframework.security.web.authentication.AuthenticationConverter;
3232
import org.springframework.util.MultiValueMap;
33-
import org.springframework.util.StringUtils;
3433

3534
/**
3635
* Attempts to extract a user code from {@link HttpServletRequest} for the
@@ -64,7 +63,7 @@ public Authentication convert(HttpServletRequest request) {
6463

6564
// user_code (REQUIRED)
6665
String userCode = parameters.getFirst(OAuth2ParameterNames.USER_CODE);
67-
if (!StringUtils.hasText(userCode) ||
66+
if (!OAuth2EndpointUtils.validateUserCode(userCode) ||
6867
parameters.get(OAuth2ParameterNames.USER_CODE).size() != 1) {
6968
OAuth2EndpointUtils.throwError(
7069
OAuth2ErrorCodes.INVALID_REQUEST,

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,4 +95,7 @@ static String normalizeUserCode(String userCode) {
9595
return sb.toString();
9696
}
9797

98+
static boolean validateUserCode(String userCode) {
99+
return (userCode != null && userCode.toUpperCase().replaceAll("[^A-Z\\d]+", "").length() == 8);
100+
}
98101
}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverterTests.java

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -147,6 +147,22 @@ public void convertWhenEmptyUserCodeThenInvalidRequestError() {
147147
// @formatter:on
148148
}
149149

150+
@Test
151+
public void convertWhenInvalidUserCodeThenInvalidRequestError() {
152+
MockHttpServletRequest request = createRequest();
153+
request.addParameter(OAuth2ParameterNames.STATE, STATE);
154+
request.addParameter(OAuth2ParameterNames.CLIENT_ID, CLIENT_ID);
155+
request.addParameter(OAuth2ParameterNames.USER_CODE, "LONG-USER-CODE");
156+
// @formatter:off
157+
assertThatExceptionOfType(OAuth2AuthenticationException.class)
158+
.isThrownBy(() -> this.converter.convert(request))
159+
.withMessageContaining(OAuth2ParameterNames.USER_CODE)
160+
.extracting(OAuth2AuthenticationException::getError)
161+
.extracting(OAuth2Error::getErrorCode)
162+
.isEqualTo(OAuth2ErrorCodes.INVALID_REQUEST);
163+
// @formatter:on
164+
}
165+
150166
@Test
151167
public void convertWhenMultipleUserCodeParametersThenInvalidRequestError() {
152168
MockHttpServletRequest request = createRequest();

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceVerificationAuthenticationConverterTests.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,20 @@ public void convertWhenEmptyUserCodeParameterThenInvalidRequestError() {
9494
// @formatter:on
9595
}
9696

97+
@Test
98+
public void convertWhenInvalidUserCodeParameterThenInvalidRequestError() {
99+
MockHttpServletRequest request = createRequest();
100+
request.addParameter(OAuth2ParameterNames.USER_CODE, "LONG-USER-CODE");
101+
// @formatter:off
102+
assertThatExceptionOfType(OAuth2AuthenticationException.class)
103+
.isThrownBy(() -> this.converter.convert(request))
104+
.withMessageContaining(OAuth2ParameterNames.USER_CODE)
105+
.extracting(OAuth2AuthenticationException::getError)
106+
.extracting(OAuth2Error::getErrorCode)
107+
.isEqualTo(OAuth2ErrorCodes.INVALID_REQUEST);
108+
// @formatter:on
109+
}
110+
97111
@Test
98112
public void convertWhenMultipleUserCodeParameterThenInvalidRequestError() {
99113
MockHttpServletRequest request = createRequest();

0 commit comments

Comments
 (0)