def commonCheck(request, mode=b"no-cors"):
if request.headers.get(b"Accept") != b"application/json":
return (531, [], "Wrong Accept")
if request.headers.get(b"Sec-Fetch-Dest") != b"webidentity":
return (532, [], "Wrong Sec-Fetch-Dest header")
if request.headers.get(b"Referer"):
return (533, [], "Should not have Referer")
if request.headers.get(b"Sec-Fetch-Mode") != mode:
return (534, [], "Wrong Sec-Fetch-Mode header")
def commonUncredentialedRequestCheck(request):
if len(request.cookies) > 0:
return (535, [], "Cookie should not be sent to this endpoint")
if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
return (536, [], "Wrong Sec-Fetch-Site header")
def commonCredentialedRequestCheck(request):
if request.cookies.get(b"cookie") != b"1":
return (537, [], "Missing cookie")
def commonPostCheck(request):
if not request.headers.get(b"Origin"):
return (540, [], "Missing Origin")
if request.method != "POST":
return (541, [], "Method is not POST")
if request.headers.get(b"Content-Type") != b"application/x-www-form-urlencoded":
return (542, [], "Wrong Content-Type")
if not request.POST.get(b"client_id"):
return (543, [], "Missing 'client_id' POST parameter")
def manifestCheck(request):
common_error = commonCheck(request)
if (common_error):
return common_error
common_uncredentialed_error = commonUncredentialedRequestCheck(request)
if (common_uncredentialed_error):
return common_uncredentialed_error
if request.headers.get(b"Origin"):
return (539, [], "Should not have Origin")
def clientMetadataCheck(request):
if (request.GET.get(b'skip_checks', b'0') != b'1'):
common_error = commonCheck(request)
if (common_error):
return common_error
common_uncredentialed_error = commonUncredentialedRequestCheck(request)
if (common_uncredentialed_error):
return common_uncredentialed_error
if not request.headers.get(b"Origin"):
return (540, [], "Missing Origin")
def accountsCheck(request):
common_error = commonCheck(request)
if (common_error):
return common_error
common_credentialed_error = commonCredentialedRequestCheck(request)
if (common_credentialed_error):
return common_credentialed_error
if request.headers.get(b"Origin"):
return (539, [], "Should not have Origin")
def tokenCheck(request):
common_error = commonCheck(request, b"cors")
if (common_error):
return common_error
common_credentialed_error = commonCredentialedRequestCheck(request)
if (common_credentialed_error):
return common_credentialed_error
# The value of the Sec-Fetch-Site header can vary depending on the IdP origin
# but it should not be 'none'.
if request.headers.get(b"Sec-Fetch-Site") == b"none":
return (538, [], "Wrong Sec-Fetch-Site header")
post_error = commonPostCheck(request)
if (post_error):
return post_error
if not request.POST.get(b"account_id"):
return (544, [], "Missing 'account_id' POST parameter")
if not request.POST.get(b"disclosure_text_shown"):
return (545, [], "Missing 'disclosure_text_shown' POST parameter")
if not request.headers.get(b"Origin"):
return (540, [], "Missing Origin")
def revokeCheck(request):
common_error = commonCheck(request, b"cors")
if (common_error):
return common_error
common_credentialed_error = commonCredentialedRequestCheck(request)
if (common_credentialed_error):
return common_credentialed_error
# The value of the Sec-Fetch-Site header can vary depending on the IdP origin
# but it should not be 'none'.
if request.headers.get(b"Sec-Fetch-Site") == b"none":
return (538, [], "Wrong Sec-Fetch-Site header")
post_error = commonPostCheck(request)
if (post_error):
return post_error
if not request.POST.get(b"account_hint"):
return (544, [], "Missing 'account_hint' POST parameter")
Codebase Browser
chromium