BB2-3796: Allow POST in auth requests (#1312)

loganbertram · web-flow · commit 7174bdf77538 · 2025-04-08T17:19:42.000-04:00
* Added authorization post support and state requriement for posting

* Cleanup
diff --git a/apps/capabilities/management/commands/create_blue_button_scopes.py b/apps/capabilities/management/commands/create_blue_button_scopes.py
@@ -307,6 +307,3 @@ def handle(self, *args, **options):
         create_coverage_read_search_capability(g, fhir_prefix)
         create_launch_capability(g, fhir_prefix)
         create_openid_capability(g)
-
-        call_command('loaddata', 'internal_application_labels.json')
-
diff --git a/apps/dot_ext/views/authorization.py b/apps/dot_ext/views/authorization.py
@@ -238,6 +238,7 @@ def form_valid(self, form):
         return self.redirect(self.success_url, application)
 
 
+@method_decorator(csrf_exempt, name="dispatch")
 class ApprovalView(AuthorizationView):
     """
     Override the base authorization view from dot to
@@ -252,6 +253,9 @@ def __init__(self, version=1):
         super().__init__()
 
     def dispatch(self, request, uuid, *args, **kwargs):
+        if request.method == "POST" and request.POST.get("state") is None:
+            return JsonResponse({"status_code": 401, "message": "State required for POST requests."}, status=401)
+
         # Get auth_uuid to set again after super() return. It gets cleared out otherwise.
         auth_flow_dict = get_session_auth_flow_trace(request)
         try:
@@ -276,7 +280,7 @@ def dispatch(self, request, uuid, *args, **kwargs):
         if hasattr(result, "headers") \
                 and "Location" in result.headers \
                 and "invalid_scope" in result.headers['Location']:
-            return JsonResponse({"status_code": 400, "message": "Invalid scopes."})
+            return JsonResponse({"status_code": 400, "message": "Invalid scopes."}, status=400)
 
         if hasattr(self, 'oauth2_data'):
             application = self.oauth2_data.get('application', None)
diff --git a/apps/mymedicare_cb/tests/test_callback_slsx.py b/apps/mymedicare_cb/tests/test_callback_slsx.py
@@ -174,6 +174,7 @@ def test_authorize_uuid(self):
                 "client_id": "bad",
                 "redirect_uri": "http://test.com",
                 "response_type": "code",
+                "state": "1234567890",
             },
         )
         self.assertEqual(status.HTTP_302_FOUND, response.status_code)
@@ -184,6 +185,7 @@ def test_authorize_uuid(self):
             "scope": ["capability-a"],
             "expires_in": 86400,
             "allow": True,
+            "state": "1234567890",
         }
         response = self.client.post(auth_uri, data=payload)
         self.assertEqual(status.HTTP_302_FOUND, response.status_code)
@@ -196,9 +198,20 @@ def test_authorize_uuid(self):
                 "client_id": application.client_id,
                 "redirect_uri": "http://test.com",
                 "response_type": "code",
+                "state": "1234567890",
             },
         )
         self.assertEqual(status.HTTP_302_FOUND, response.status_code)
+        # Test without state
+        response = self.client.post(
+            auth_uri,
+            data={
+                "client_id": application.client_id,
+                "redirect_uri": "http://test.com",
+                "response_type": "code",
+            },
+        )
+        self.assertEqual(status.HTTP_401_UNAUTHORIZED, response.status_code)
 
     def test_callback_url_success(self):
         # create a state
