OAuthServer polish and random sauce
Summary:
This diff makes the OAuthServer more compliant with the spec by
- making it return well-formatted error codes with error types from the spec.
- making it respect the "state" variable, which is a transparent variable the
client passes and the server passes back
- making it be super, duper compliant with respect to redirect uris
- if specified in authorization step, check if its valid relative to the client
registered URI and if so save it
- if specified in authorization step, check if its been specified in the access
step and error if it doesn't match or doesn't exist
- note we don't make any use of it in the access step which seems strange but
hey, that's what the spec says!
This diff makes the OAuthServer suck less by
- making the "cancel" button do something in the user authorization flow
- making the client list view and client edit view be a bit more usable around
client secrets
- fixing a few bugs I managed to introduce along the way
Test Plan:
- create a test phabricator client, updated my conf, and then linked and
unlinked phabricator to itself
- wrote some tests for PhabricatorOAuthServer -- they pass!
- these validate the various validate URI checks
- tried a few important authorization calls --
http://phabricator.dev/oauthserver/auth/?client_id=X&state=test&redirect_uri=http://www.evil.com
- verified error'd from mismatching redirect uri's
- verified state parameter in response
- verified did not redirect to client redirect uri
- http://phabricator.dev/oauthserver/auth/?client_id=X w/ existing
authorization
- got redirected to proper client url with error that response_type not
specified
existing authorization
- got redirected to proper client url with pertinent code!
- tried a few important access calls
- verified appropriate errors if missing any required parameters
- verified good access code with appropriate other variables resulted in an
access token
- verified that if redirect_uri set correctly in authorization required for
access and errors if differs at all / only succeeds if exactly the same
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley, ajtrichards
Maniphest Tasks: T889, T906, T897
Differential Revision: https://secure.phabricator.com/D1727