Immediately show authorization request errors before showing the custom authorization form

2025-04-02 00:37:42 +02:00 · 2025-04-02 00:37:42 +02:00 · 1a2a84f674
commit 1a2a84f674
parent 857d59d391
2 changed files with 32 additions and 0 deletions
--- a/src/main/java/se/su/dsv/oauth2/staging/CustomAuthorizationEndpointFilter.java
+++ b/src/main/java/se/su/dsv/oauth2/staging/CustomAuthorizationEndpointFilter.java
@ -92,6 +92,10 @@ public class CustomAuthorizationEndpointFilter extends HttpFilter {
            throws IOException
    {
        if (Objects.equals(request.getMethod(), "GET")) {
+            // Validate authorization request
+            // This will throw if the request is not valid
+            authenticationConverter.convert(request);
+
            String authorizationUrl = getAuthorizationUrl(request);
            JteModel view = templates.authorize(authorizationUrl, loggedInUser.getName(), (ShibbolethAuthenticationDetails) loggedInUser.getDetails());
            respondWithTemplate(response, view);
--- a/src/test/java/se/su/dsv/oauth2/StagingProfileTest.java
+++ b/src/test/java/se/su/dsv/oauth2/StagingProfileTest.java
@ -9,6 +9,7 @@ import org.springframework.test.context.ActiveProfiles;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.jupiter.api.Assertions.*;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
 import static se.su.dsv.oauth2.ShibbolethRequestProcessor.remoteUser;
@ -224,4 +225,31 @@ public class StagingProfileTest extends AbstractMetadataCodeFlowTest {
                    assertThat(redirectedUrl, containsString("state=" + state));
                });
    }
+
+    @Test
+    public void fails_immediately_with_invalid_request_parameters() throws Exception {
+        mockMvc.perform(get(getAuthorizationEndpoint())
+                .with(remoteUser("developer")
+                        .entitlement(DEVELOPER_ENTITLEMENT))
+                .queryParam("response_type", "code")
+                .queryParam("client_id", CLIENT_ID)
+                .queryParam("redirect_uri", REDIRECT_URI)
+                .queryParam("scope", "openid")
+                .queryParam("scope", "profile"))
+                .andExpect(status().isBadRequest())
+                .andExpect(status().reason(containsString("scope")));
+    }
+
+    @Test
+    public void shows_custom_authorization_form_for_valid_requests() throws Exception {
+        mockMvc.perform(get(getAuthorizationEndpoint())
+                .with(remoteUser("developer")
+                        .entitlement(DEVELOPER_ENTITLEMENT))
+                .queryParam("response_type", "code")
+                .queryParam("client_id", CLIENT_ID)
+                .queryParam("redirect_uri", REDIRECT_URI)
+                .queryParam("scope", "openid profile"))
+                .andExpect(status().isOk())
+                .andExpect(content().string(containsString("<form")));
+    }
 }