From 68e49918e9828c0416d7a87237bdbc20191ea89d Mon Sep 17 00:00:00 2001 From: Scott Gifford Date: Thu, 21 Oct 2021 08:17:12 -0600 Subject: [PATCH 1/2] verify that expires_at is an int before casting it as such. --- oauthlib/oauth2/rfc6749/clients/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oauthlib/oauth2/rfc6749/clients/base.py b/oauthlib/oauth2/rfc6749/clients/base.py index 88065ab3..0c7b6e53 100644 --- a/oauthlib/oauth2/rfc6749/clients/base.py +++ b/oauthlib/oauth2/rfc6749/clients/base.py @@ -512,7 +512,7 @@ def populate_token_attributes(self, response): self.expires_in = response.get('expires_in') self._expires_at = time.time() + int(self.expires_in) - if 'expires_at' in response: + if 'expires_at' in response and isinstance(response.get('expires_at'), int): self._expires_at = int(response.get('expires_at')) if 'mac_key' in response: From 8c4b32d8bac1594ee6bcf9bf25708f9fcb869d67 Mon Sep 17 00:00:00 2001 From: Scott Gifford Date: Thu, 21 Oct 2021 13:39:43 -0600 Subject: [PATCH 2/2] casting expires_at as int within try catch with test. --- oauthlib/oauth2/rfc6749/clients/base.py | 7 +++++-- tests/oauth2/rfc6749/clients/test_base.py | 24 +++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/oauthlib/oauth2/rfc6749/clients/base.py b/oauthlib/oauth2/rfc6749/clients/base.py index 0c7b6e53..35a3fd5c 100644 --- a/oauthlib/oauth2/rfc6749/clients/base.py +++ b/oauthlib/oauth2/rfc6749/clients/base.py @@ -512,8 +512,11 @@ def populate_token_attributes(self, response): self.expires_in = response.get('expires_in') self._expires_at = time.time() + int(self.expires_in) - if 'expires_at' in response and isinstance(response.get('expires_at'), int): - self._expires_at = int(response.get('expires_at')) + if 'expires_at' in response: + try: + self._expires_at = int(response.get('expires_at')) + except: + self._expires_at = None if 'mac_key' in response: self.mac_key = response.get('mac_key') diff --git a/tests/oauth2/rfc6749/clients/test_base.py b/tests/oauth2/rfc6749/clients/test_base.py index c77cfed2..6b4eff07 100644 --- a/tests/oauth2/rfc6749/clients/test_base.py +++ b/tests/oauth2/rfc6749/clients/test_base.py @@ -301,3 +301,27 @@ def test_prepare_refresh_token_request(self): self.assertEqual(u, url) self.assertEqual(h, {'Content-Type': 'application/x-www-form-urlencoded'}) self.assertFormBodyEqual(b, 'grant_type=refresh_token&scope={}&refresh_token={}'.format(scope, token)) + + def test_parse_token_response_invalid_expires_at(self): + token_json = ('{ "access_token":"2YotnFZFEjr1zCsicMWpAA",' + ' "token_type":"example",' + ' "expires_at":"2006-01-02T15:04:05Z",' + ' "scope":"/profile",' + ' "example_parameter":"example_value"}') + token = { + "access_token": "2YotnFZFEjr1zCsicMWpAA", + "token_type": "example", + "expires_at": "2006-01-02T15:04:05Z", + "scope": ["/profile"], + "example_parameter": "example_value" + } + + client = Client(self.client_id) + + # Parse code and state + response = client.parse_request_body_response(token_json, scope=["/profile"]) + self.assertEqual(response, token) + self.assertEqual(None, client._expires_at) + self.assertEqual(client.access_token, response.get("access_token")) + self.assertEqual(client.refresh_token, response.get("refresh_token")) + self.assertEqual(client.token_type, response.get("token_type"))