catch Exception in oauth2.py (lepture#223)

* catch Exception in oauth2.py

if the authorize_url is invalid, the /authorize page will response a
500 Internal Error due to the ValueError from validate_authorization_request
did not get caught.

* add test on /authorized with invalid redirect uri

* move test_invalid_redirect_uri to test_code.py

* add test on empty scope in post authorize

Author: flaneur2020

flask_oauthlib/provider/oauth2.py

@@ -18,7 +18,7 @@
 from werkzeug.utils import import_string
 from oauthlib import oauth2
 from oauthlib.oauth2 import RequestValidator, Server
-from oauthlib.common import to_unicode
+from oauthlib.common import to_unicode, add_params_to_uri
 from ..utils import extract_params, decode_base64, create_response
 
 __all__ = ('OAuth2Provider', 'OAuth2RequestValidator')
@@ -395,6 +395,11 @@ def decorated(*args, **kwargs):
                 except oauth2.OAuth2Error as e:
                     log.debug('OAuth2Error: %r', e)
                     return redirect(e.in_uri(redirect_uri))
+                except Exception as e:
+                    log.warning('Exception caught while processing request, %s.' % e)
+                    return redirect(add_params_to_uri(
+                        self.error_uri, {'error': str(e) }
+                    ))
 
             else:
                 redirect_uri = request.values.get(
@@ -409,6 +414,12 @@ def decorated(*args, **kwargs):
             except oauth2.OAuth2Error as e:
                 log.debug('OAuth2Error: %r', e)
                 return redirect(e.in_uri(redirect_uri))
+            except Exception as e:
+                log.warning('Exception caught while processing request, %s.' % e)
+                return redirect(add_params_to_uri(
+                    self.error_uri, {'error': str(e) }
+                ))
+
 
             if not isinstance(rv, bool):
                 # if is a response or redirect
@@ -448,6 +459,12 @@ def confirm_authorization_request(self):
         except oauth2.OAuth2Error as e:
             log.debug('OAuth2Error: %r', e)
             return redirect(e.in_uri(redirect_uri or self.error_uri))
+        except Exception as e:
+            log.warning('Exception caught while processing request, %s.' % e)
+            return redirect(add_params_to_uri(
+                self.error_uri, {'error': str(e) }
+            ))
+
 
     def verify_request(self, scopes):
         """Verify current request, get the oauth data.

tests/test_oauth2/test_code.py

@@ -50,6 +50,10 @@ def test_post_authorize(self):
         rv = self.client.post(url, data={'confirm': 'yes'})
         assert 'code' in rv.location
 
+        url = self.authorize_url + '&scope='
+        rv = self.client.post(url, data={'confirm': 'yes'})
+        assert 'error=Scopes+must+be+set' in rv.location
+
     def test_invalid_token(self):
         rv = self.client.get('/oauth/token')
         assert b'unsupported_grant_type' in rv.data
@@ -70,6 +74,16 @@ def test_invalid_token(self):
         assert b'invalid_client' not in rv.data
         assert rv.status_code == 401
 
+    def test_invalid_redirect_uri(self):
+        authorize_url = (
+            '/oauth/authorize?response_type=code&client_id=dev'
+            '&redirect_uri=http://localhost:8000/authorized'
+            '&scope=invalid'
+        )
+        rv = self.client.get(authorize_url)
+        assert 'error=' in rv.location
+        assert 'trying+to+decode+a+non+urlencoded+string' in rv.location
+
     def test_get_token(self):
         expires = datetime.utcnow() + timedelta(seconds=100)
         grant = Grant(