BB2-4004: Remove the ability for developers to access PKCE = false for test client (#1378)

stiwarisemanticbits · Shivam Tiwari · jimmyfagan · web-flow · commit bf5e833fbd96 · 2025-09-19T10:47:34.000-05:00
* BB2-4004 Remove the ability for developers to access PKCE = false for test client

* Forced pkce

* Remove comment

* Fix

---------

Co-authored-by: Shivam Tiwari &lt;shivam.tiwari@icf.com&gt;
Co-authored-by: jimmyfagan &lt;90421499+jimmyfagan@users.noreply.github.com&gt;
diff --git a/apps/testclient/templates/home.html b/apps/testclient/templates/home.html
@@ -44,7 +44,7 @@ <h2>Step 1: Sample Authorization</h2>
 
 			<br />
 
-			<a id="auth_link_v2" href="{% url 'authorize_link_v2' %}?pkce=true" class="ds-c-button ds-u-margin-y--2 ds-c-button--solid ds-u-color--white">Get a Sample Authorization Token</a>
+			<a id="auth_link_v2" href="{% url 'authorize_link_v2' %}" class="ds-c-button ds-u-margin-y--2 ds-c-button--solid ds-u-color--white">Get a Sample Authorization Token</a>
 			{% endif %}
 	
             <!-- If a user DOES have a token, reflect the success of that action -->
diff --git a/apps/testclient/utils.py b/apps/testclient/utils.py
@@ -10,7 +10,7 @@
 from ..dot_ext.models import Application
 
 
-def test_setup(include_client_secret=True, v2=False, pkce=False):
+def test_setup(include_client_secret=True, v2=False):
     response = OrderedDict()
     ver = 'v2' if v2 else 'v1'
     response['api_ver'] = ver
@@ -29,12 +29,11 @@ def test_setup(include_client_secret=True, v2=False, pkce=False):
     response['redirect_uri'] = '{}{}'.format(host, settings.TESTCLIENT_REDIRECT_URI)
     response['coverage_uri'] = '{}/{}/fhir/Coverage/'.format(host, ver)
 
-    if pkce:
-        auth_data = __generate_auth_data()
-        response['code_challenge_method'] = "S256"
-        response['code_verifier'] = auth_data['code_verifier']
-        response['code_challenge'] = auth_data['code_challenge']
-        response['state'] = auth_data['state']
+    auth_data = __generate_auth_data()
+    response['code_challenge_method'] = "S256"
+    response['code_verifier'] = auth_data['code_verifier']
+    response['code_challenge'] = auth_data['code_challenge']
+    response['state'] = auth_data['state']
 
     response['authorization_uri'] = '{}/{}/o/authorize/'.format(host, ver)
     response['token_uri'] = '{}/{}/o/token/'.format(host, ver)
diff --git a/apps/testclient/views.py b/apps/testclient/views.py
@@ -10,6 +10,7 @@
 from requests_oauthlib import OAuth2Session
 from rest_framework import status
 from urllib.parse import parse_qs, urlparse
+
 from waffle.decorators import waffle_switch
 
 from .utils import test_setup, get_client_secret, extract_page_nav
@@ -307,22 +308,21 @@ def authorize_link_v2(request):
 @never_cache
 @waffle_switch('enable_testclient')
 def authorize_link(request, v2=False):
-    pkce_enabled = request.GET.get('pkce')
-    request.session.update(test_setup(v2=v2, pkce=pkce_enabled))
+    request.session.update(test_setup(v2=v2))
     oas = _get_oauth2_session_with_redirect(request)
-    authorization_url = None
-    if pkce_enabled:
-        authorization_url = oas.authorization_url(
-            request.session['authorization_uri'],
-            request.session['state'],
-            code_challenge=request.session['code_challenge'],
-            code_challenge_method=request.session['code_challenge_method'])[0]
-    else:
-        authorization_url = oas.authorization_url(
-            request.session['authorization_uri'])[0]
 
-    return render(request, 'authorize.html',
-                  {"authorization_url": authorization_url, "api_ver": "v2" if v2 else "v1"})
+    authorization_url = oas.authorization_url(
+        request.session['authorization_uri'],
+        request.session['state'],
+        code_challenge=request.session['code_challenge'],
+        code_challenge_method=request.session['code_challenge_method']
+    )[0]
+
+    return render(
+        request,
+        'authorize.html',
+        {"authorization_url": authorization_url, "api_ver": "v2" if v2 else "v1"}
+    )
 
 
 def _pagination_info(request, last_url):
