OAuth 2.0 authorization and token exchange
Fix IPv6 loopback matching in redirect_uri validation
Match both "::1" and "[::1]" for the host to handle Uri library
behavior for IPv6 addresses. Add test for http://[::1]:8080/callback
which was previously claimed but untested.
+12
-3
+5
-3
lib/oauth.ml
+5
-3
lib/oauth.ml
···
132
132
133
133
type redirect_uri = string
134
134
135
+
let is_loopback_host = function
136
+
| "localhost" | "127.0.0.1" | "::1" | "[::1]" -> true
137
+
| _ -> false
138
+
135
139
let is_loopback_http uri =
136
140
match Uri.scheme uri with
137
141
| Some "http" -> (
138
-
match Uri.host uri with
139
-
| Some ("localhost" | "127.0.0.1" | "[::1]") -> true
140
-
| _ -> false)
142
+
match Uri.host uri with Some h -> is_loopback_host h | None -> false)
141
143
| _ -> false
142
144
143
145
let redirect_uri s =
+7
test/test_regressions.ml
+7
test/test_regressions.ml
···
291
291
| Ok _ -> ()
292
292
| Error (`Msg msg) -> Alcotest.failf "unexpected error: %s" msg
293
293
294
+
let test_redirect_uri_allows_ipv6_loopback () =
295
+
match Oauth.redirect_uri "http://[::1]:8080/callback" with
296
+
| Ok _ -> ()
297
+
| Error (`Msg msg) -> Alcotest.failf "unexpected error: %s" msg
298
+
294
299
let test_redirect_uri_rejects_fragment () =
295
300
match Oauth.redirect_uri "https://example.com/callback#frag" with
296
301
| Error (`Msg msg) ->
···
348
353
test_redirect_uri_allows_localhost_http;
349
354
Alcotest.test_case "redirect_uri allows http://127.0.0.1" `Quick
350
355
test_redirect_uri_allows_127_http;
356
+
Alcotest.test_case "redirect_uri allows http://[::1]" `Quick
357
+
test_redirect_uri_allows_ipv6_loopback;
351
358
Alcotest.test_case "redirect_uri rejects fragment" `Quick
352
359
test_redirect_uri_rejects_fragment;
353
360
Alcotest.test_case "redirect_uri rejects no scheme" `Quick