Akron
commented
1 year ago The problem can probably be located here:
https://github.com/KorAP/Kalamar/blob/master/lib/Kalamar/Plugin/Auth.pm#L1612-L1634
The KorAP-Request may accidentally follow the redirect. This should definitely be disabled for all API requests that may return unexpected redirects.
To test for this issue, a client like that should be run:
#!/usr/bin/env perl
use Mojolicious::Lite;
use Mojo::JSON qw'true false';
my $client_id = '[CLIENT_ID]';
my $client_secret = '[CLIENT_SECRET]';
my $redirect_uri = 'http://localhost:3000/return';
get '/' => sub {
shift->render(template => 'index');
};
get '/install-me' => sub {
my $c = shift;
my $url = Mojo::URL->new('http://korap.ids-mannheim.de/instance/test/settings/oauth/authorize');
$url = $url->query({
'client_id' => $client_id,
'scope' => 'search match_info',
'state' => 'funny',
redirect_uri => $c->url_for('return')->to_abs
});
$c->res->code(307);
$c->redirect_to($url);
};
get '/return' => sub {
my $c = shift;
if ($c->param('code')) {
$c->render(text => 'okay: ' . $c->param('code'));
} else {
$c->render(text => 'not okay: ' . $c->param('error'));
};
} => 'return';
app->start;
__DATA__
@@ index.html.ep
<p><a href="/install-me">Install me</a></p>Or use Eliza's example server.
R client can use the httr library to handle HTTP requests so that it can obtain KorAP access tokens dynamically. Since it uses localhost, we should therefore support localhost as a client redirect uri. This should be fine since the redirection is done by browsers.
There is however a problem in the authorization response.
After a client sending an authorization request and the user click the "grant access" button, Kalamar produces:
http://localhost:7071/redirect?error_description=Connection+refused