apart from localhost, allow only https
This commit is contained in:
parent
d600bbfec0
commit
01e19485eb
|
@ -55,9 +55,11 @@ def authorize():
|
|||
|
||||
# check if redirect_uri is valid
|
||||
# allow localhost by default
|
||||
# todo: only allow https
|
||||
hostname, scheme = get_host_name_and_scheme(redirect_uri)
|
||||
if hostname != "localhost":
|
||||
if scheme != "https":
|
||||
return "Only https is supported", 400
|
||||
|
||||
if not RedirectUri.get_by(client_id=client.id, uri=redirect_uri):
|
||||
return f"{redirect_uri} is not authorized", 400
|
||||
|
||||
|
|
Loading…
Reference in a new issue