Merge branch 'master' into chore/sort-authors

jazzband · Oct 10, 2023 · 456bdc3 · 456bdc3
2 parents f133e94 + b39ec01
commit 456bdc3
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,7 +5,7 @@ repos:
       - id: black
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-ast
       - id: trailing-whitespace

diff --git a/AUTHORS b/AUTHORS
@@ -15,6 +15,7 @@ Alan Crosswell
 Alejandro Mantecon Guillen
 Aleksander Vaskevich
 Alessandro De Angelis
+Alex Manning
 Alex Szabó
 Allisson Azevedo
 Andrea Greco

diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -190,7 +190,7 @@ def _authenticate_request_body(self, request):
         if self._load_application(client_id, request) is None:
             log.debug("Failed body auth: Application %s does not exists" % client_id)
             return False
-        elif not check_password(client_secret, request.client.client_secret):
+        elif not self._check_secret(client_secret, request.client.client_secret):
             log.debug("Failed body auth: wrong client secret %s" % client_secret)
             return False
         else:

diff --git a/tests/test_oauth2_validators.py b/tests/test_oauth2_validators.py
@@ -100,6 +100,18 @@ def test_authenticate_request_body(self):
         self.blank_secret_request.client_secret = "wrong_client_secret"
         self.assertFalse(self.validator._authenticate_request_body(self.blank_secret_request))
 
+    def test_authenticate_request_body_unhashed_secret(self):
+        self.application.client_secret = CLEARTEXT_SECRET
+        self.application.hash_client_secret = False
+        self.application.save()
+
+        self.request.client_id = "client_id"
+        self.request.client_secret = CLEARTEXT_SECRET
+        self.assertTrue(self.validator._authenticate_request_body(self.request))
+
+        self.application.hash_client_secret = True
+        self.application.save()
+
     def test_extract_basic_auth(self):
         self.request.headers = {"HTTP_AUTHORIZATION": "Basic 123456"}
         self.assertEqual(self.validator._extract_basic_auth(self.request), "123456")