Skip to content

Commit 66071e9

Browse files
committed
Edge case fix for Double URL-encoding and extra validation check
1 parent 3233fff commit 66071e9

3 files changed

Lines changed: 16 additions & 14 deletions

File tree

src/auth0_server_python/auth_schemes/dpop_auth.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@ def __init__(self, token: str, key: "jwk.JWK") -> None:
1717
public_jwk = key.export_public(as_dict=True)
1818
if public_jwk.get("kty") != "EC" or public_jwk.get("crv") != "P-256":
1919
raise ValueError("DPoP key must be an EC P-256 key")
20+
try:
21+
token.encode("ascii")
22+
except UnicodeEncodeError:
23+
raise ValueError("Access token must contain only ASCII characters")
2024
self._token = token
2125
self._key = key
2226
self._public_jwk = public_jwk

src/auth0_server_python/auth_server/my_account_client.py

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,8 @@
11
import json
22
from typing import TYPE_CHECKING, Optional
3-
from urllib.parse import quote
3+
from urllib.parse import quote, unquote
44

55
import httpx
6-
from pydantic import ValidationError
7-
86
from auth0_server_python.auth_schemes.bearer_auth import BearerAuth
97
from auth0_server_python.auth_schemes.dpop_auth import DPoPAuth
108
from auth0_server_python.auth_types import (
@@ -416,7 +414,7 @@ async def get_factors(
416414
return GetFactorsResponse.model_validate(response.json())
417415

418416
except Exception as e:
419-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
417+
if isinstance(e, (MyAccountApiError, ApiError)):
420418
raise
421419
raise ApiError(
422420
"get_factors_error",
@@ -464,7 +462,7 @@ async def list_authentication_methods(
464462
return ListAuthenticationMethodsResponse.model_validate(response.json())
465463

466464
except Exception as e:
467-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
465+
if isinstance(e, (MyAccountApiError, ApiError)):
468466
raise
469467
raise ApiError(
470468
"list_authentication_methods_error",
@@ -509,7 +507,7 @@ async def get_authentication_method(
509507
return AuthenticationMethod.model_validate(response.json())
510508

511509
except Exception as e:
512-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
510+
if isinstance(e, (MyAccountApiError, ApiError)):
513511
raise
514512
raise ApiError(
515513
"get_authentication_method_error",
@@ -552,7 +550,7 @@ async def delete_authentication_method(
552550
)
553551

554552
except Exception as e:
555-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
553+
if isinstance(e, (MyAccountApiError, ApiError)):
556554
raise
557555
raise ApiError(
558556
"delete_authentication_method_error",
@@ -601,7 +599,7 @@ async def update_authentication_method(
601599
return AuthenticationMethod.model_validate(response.json())
602600

603601
except Exception as e:
604-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
602+
if isinstance(e, (MyAccountApiError, ApiError)):
605603
raise
606604
raise ApiError(
607605
"update_authentication_method_error",
@@ -661,7 +659,7 @@ async def enroll_authentication_method(
661659

662660
path = location.split("?")[0].split("#")[0].rstrip("/")
663661
segments = path.split("/")
664-
authentication_method_id = segments[-1] if len(segments) > 1 else ""
662+
authentication_method_id = unquote(segments[-1]) if len(segments) > 1 else ""
665663
if not authentication_method_id or authentication_method_id in (
666664
"authentication-methods",
667665
"v1",
@@ -696,7 +694,7 @@ async def enroll_authentication_method(
696694
)
697695

698696
except Exception as e:
699-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
697+
if isinstance(e, (MyAccountApiError, ApiError)):
700698
raise
701699
raise ApiError(
702700
"enroll_authentication_method_error",
@@ -749,7 +747,7 @@ async def verify_authentication_method(
749747
return AuthenticationMethod.model_validate(response.json())
750748

751749
except Exception as e:
752-
if isinstance(e, (MyAccountApiError, ApiError, ValidationError)):
750+
if isinstance(e, (MyAccountApiError, ApiError)):
753751
raise
754752
raise ApiError(
755753
"verify_authentication_method_error",

src/auth0_server_python/auth_types/__init__.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -553,9 +553,9 @@ class VerifyAuthenticationMethodRequest(BaseModel):
553553
def _check_at_least_one_method(self) -> "VerifyAuthenticationMethodRequest":
554554
has_method = (
555555
self.authn_response is not None
556-
or self.otp_code is not None
557-
or self.recovery_code is not None
558-
or self.password is not None
556+
or (self.otp_code is not None and self.otp_code.strip() != "")
557+
or (self.recovery_code is not None and self.recovery_code.strip() != "")
558+
or (self.password is not None and self.password.strip() != "")
559559
)
560560
if not has_method:
561561
raise ValueError(

0 commit comments

Comments
 (0)