Redirect to /login on invalid grant

Author: kevin1024

README.md

@@ -7,7 +7,7 @@ deferring to an oauth2 provider.
 
 # IMPORTANT SECURITY NOTE
 
-If you use this package, you should install the latest development version of `request_oauthlib` in order to get [an important commit that fixes a CSRF vulnerability](https://github.com/requests/requests-oauthlib/commit/c5cad15edc28040f85dba52ceebb18e11bd9e759)
+If you use this package, you should install the latest development version of `requests_oauthlib` in order to get [an important commit that fixes a CSRF vulnerability](https://github.com/requests/requests-oauthlib/commit/c5cad15edc28040f85dba52ceebb18e11bd9e759)
 
 # Support
 
@@ -81,7 +81,8 @@ and then run the tests with the provided script:
 ```
 
 ## Changelog
- * 0.2.3: Redirect to the log if the state is mismatching
- * 0.2.2: Redirect to the log if the state goes missing (sometimes people bookmark the login url)
+ * 0.2.4: Redirect to the login if the grant is invalid
+ * 0.2.3: Redirect to the login if the state is mismatching
+ * 0.2.2: Redirect to the login if the state goes missing (sometimes people bookmark the login url)
  * 0.2.1: Added tests for the ping function and fixed a bug with the session variable name for the ping timestamp.
  * 0.2.0: Added support for pinging the auth server to make sure the token is still valid

oauthadmin/views.py

@@ -1,7 +1,7 @@
 from time import time
 
 from requests_oauthlib import OAuth2Session
-from oauthlib.oauth2.rfc6749.errors import MismatchingStateError
+from oauthlib.oauth2.rfc6749.errors import MismatchingStateError, InvalidGrantError
 from urllib import quote_plus
 
 from django.shortcuts import redirect
@@ -44,7 +44,7 @@ def callback(request):
             client_secret=app_setting('CLIENT_SECRET'),
             authorization_response=app_setting('AUTH_URL') + "?" + request.GET.urlencode()
         )
-    except MismatchingStateError:
+    except (MismatchingStateError, InvalidGrantError):
         return HttpResponseRedirect(request.build_absolute_uri(reverse('oauthadmin.views.login')))
 
     user = import_by_path(app_setting('GET_USER'))(token)

setup.py

@@ -17,7 +17,7 @@
 
 setup(
     name='django-admin-oauth2',
-    version='0.2.3',
+    version='0.2.4',
     description='A django app that replaces the django admin authentication mechanism by deferring to an oauth2 provider',
     long_description=README,
     url='https://github.com/RealGeeks/django-admin-oauth2',

test/test_views.py

@@ -1,7 +1,7 @@
 import mock
 import pytest
 from oauthadmin.views import destroy_session, login, callback, logout
-from oauthlib.oauth2.rfc6749.errors import MismatchingStateError
+from oauthlib.oauth2.rfc6749.errors import MismatchingStateError, InvalidGrantError
 from django.test.client import RequestFactory
 
 
@@ -73,6 +73,18 @@ def test_callback_with_missing_state(import_by_path, app_setting, OAuth2Session,
     assert resp.status_code == 302
     assert resp['location'] == 'http://testserver/login/'
 
+@mock.patch('oauthadmin.views.OAuth2Session')
+@mock.patch('oauthadmin.views.app_setting')
+@mock.patch('oauthadmin.views.import_by_path')
+def test_callback_with_invalid_grant(import_by_path, app_setting, OAuth2Session, request_factory):
+    request = request_factory.get('/')
+    request.session = {'oauth_state':'foo'}
+    app_setting.return_value = 'app-setting'
+    OAuth2Session.return_value = mock.Mock(fetch_token = mock.Mock(side_effect=InvalidGrantError))
+    resp = callback(request)
+    assert resp.status_code == 302
+    assert resp['location'] == 'http://testserver/login/'
+
 @mock.patch('oauthadmin.views.OAuth2Session')
 @mock.patch('oauthadmin.views.app_setting')
 @mock.patch('oauthadmin.views.import_by_path')