| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Pick-to: 6.11
Change-Id: I8bd4e61bcbd957defb117ef16189033c903efcd0
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also use QUrl::setUrl() instead of relying on the implicit conversion of
QString -> QUrl.
Spotted by Marc in code review.
Amends f14ca3be866db0f745d9e3da0b82fb8e36784cb4 and
164e2d897fb7c3a60b518985774a4faa360ba2c9.
Pick-to: 6.10
Change-Id: I048fd47af4edfe3530f9f451698fe8080cb75d7d
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most cpp files in this module are security critical, as
this module implements network interfacing authorization
protocols.
Headers in this module are not marked as they are
trivial.
Fixes: QTBUG-135564
Pick-to: 6.9 6.8
Change-Id: I97d8079296a98099955d3fe63434279599911a5e
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Make the variable non-const first so that we don't unintentionally
cause a copy with a const rvalue ref.
Coverity-Id: 479423
Fixes: QTBUG-135257
Pick-to: 6.9 6.8 6.5
Change-Id: I22bd7a90b1aa6356a0f3a2615f3c0a83e1ba2690
Reviewed-by: Magdalena Stojek <magdalena.stojek@qt.io>
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A FullyEncoded URL is US-ASCII-only, so use the faster toLatin1(),
and make sure it's called on an rvalue.
(Called on an unshared rvalue QString, fromLatin1() is guaranteed to
re-use the internal buffer without reallocation; unlike toUtf8(),
which always has to stay prepared for a reallocation, in case a
UTF-16 code unit (2 bytes) requires three UTF-8 ones (three bytes)).
Amends 164e2d897fb7c3a60b518985774a4faa360ba2c9.
Pick-to: 6.9
Change-Id: Iabba5ce47141929490766dac61ea7044ba5aa44d
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to preserve the behavior of QAbstractOAuth2::scope vis-a-vis
Qt 6.8, remember which of the scope/requestedScopeTokens proeprties
the requested scope came in. If it was the legacy scope, then use that
unchanged, like in Qt 6.8. If it was the new property, build a scope
from the requestedScopeTokens.
This only significant in two cases:
- If the user is interacting with a server that wrongfully assigns
meaning to the order of scope-tokens in a scope. Routing
scope-tokens through QSet could then cause the server to
malfunction.
- If the user passed (and/or the server expected) invalid characters
in scope-tokens, and those characters were outside the L1 range,
then they would have been encoded as UTF-8 in 6.8 and are not
representable in requestedScopeTokens (they're not L1 and when
putting them in as UTF-8-encoded, we'll produce mojibake).
Keeping the old behavior for the legacy scope property allows users to
continue development while they argue their case in a bug report
against the new property.
Move the legacyScope member around to avoid padding holes with the new
bool property.
Pick-to: 6.9
Change-Id: Ic3a7d485990608ea4f48327e69f9b35accbb2cbf
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This better reflects the scope (token) semantics:
- Token order doesn't matter
- Duplicate tokens don't make sense
- Character encoding is limited to ASCII (albeit there might be
proprietary authorization servers not adhering to this)
Resulted from API-review.
Amends: 571b71763c0485778623139359acc88985099efb
Task-number: QTBUG-132710
Pick-to: 6.9
Change-Id: I781a707fcb3e2f06309e7ea57c5b05203afce03a
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a prequel commit for changing their type from QStringList
to QSet<QByteArray>, each member of the set representing a scope token.
Resulted from API-review.
Amends: 571b71763c0485778623139359acc88985099efb
Task-number: QTBUG-132710
Pick-to: 6.9
Change-Id: I9d97ddfb66caba13434a460e021356911ed72f6c
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows having a common baseclass method for refreshing
tokens already in Qt 6. This should minimize the user impact
of removing the leaf class "refreshAccessToken()" function
in Qt 7.
Furthermore this simplifies the automatic token refresh
implementation, which is implemented at the common baseclass
level; the implementation can inokve/call the refreshTokens()
directly, as opposed to the leaf class connecting to the
accessTokenAboutToExpire() signal.
Lastly this allows removing the (new in Qt 6.9)
"QOAuth2DeviceAuthorizationFlow::refresAccessTokens()"
function which would have been replaced in Qt 7.
Found in API review.
Amends 2b1e3419c5ef43e964f40dbe79d7a7da0de5aa57
Pick-to: 6.9
Change-Id: I3ad94486543bdcb5ef5a7afd41f9cbb249ac92fb
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The module cannot be built without HTTP support, so each and every file
had an `#ifndef QT_NO_HTTP` check.
However, commit d49f744968a237b751f0e520f8a9fff59dc283f5 already
disabled the module build at the toplevel CMakeLists.txt file if the
relevant feature is not found.
As a result, we can drop the checks from the private headers and
the .cpp files and also remove the QtNetwork/qtnetwork-config.h includes
that were added in order to provide access to QT_NO_HTTP definition.
This patch still keeps the QT_NO_HTTP check on public headers, because
it allows the user code like:
#include <QOAuth1> // unconditionally
...
#ifndef QT_NO_HTTP
QOAuth1 oauth;
// use oauth
#endif // QT_NO_HTTP
Pick-to: 6.9 6.8 6.5
Change-Id: I517aa1da90ed53a5fc013d28530aa1d41a946a79
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
... instead of including the relevant header.
Amends 164e2d897fb7c3a60b518985774a4faa360ba2c9.
Found in Qt 6.9 API review.
Pick-to: 6.9
Change-Id: I842a2aafce60b69d8084fe14ef69797fc2022eee
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To comply with API naming guideline. In this context
the 'polling' can be considered an adjective/state, and
the getter is prefixed with 'is', while the name of the
property (and its change signal) is not prefixed.
https://wiki.qt.io/API_Design_Principles
See Naming Boolean Getters, Setters, and Properties
Resulted from API review.
Amends: 164e2d897fb7c3a60b518985774a4faa360ba2c9
Pick-to: 6.9
Change-Id: Iaf190edaf735ea32ca0ad66fe00a77a57bb037b4
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
Amends 8e5e1012f9a9a9f01a12f631a3ed34570b6a4c5c which only cleaned up
the public headers.
Task-number: QTBUG-115841
Pick-to: 6.9 6.8
Change-Id: I16399e3ced49b91134e68c351f190720f88c3044
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The base class already contains all properties and signals related to
access token refreshing. However, we can not add a new virtual slot
during Qt 6 lifetime.
This patch pre-programs the addition of this slot to Qt 7 and adjusts
the refresh token logic to call the new slot directly from the base
class. This eliminates the need to manually implement auto-refresh
logic in the derived classes.
The name of the new slot is different from the pre-existing slots in
the derived classes, so this patch also pre-programs the renaming
of the relevant slots.
The patch also pre-programs documentation changes by providing Qt 7
versions of the relevant docs.
Picking this change to 6.9 to minimize the amount of merge conflict
resolutions.
Task-number: QTBUG-132106
Pick-to: 6.9
Change-Id: I453e9aae096abbfddcb8076f808d4a055850f7e0
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The property is common for both authorization code and device flows, so
it makes sense to move it to the base class. And more broadly speaking,
most OAuth2 flows use a token endpoint.
One problem is that QOAuth2AuthorizationCodeFlow already has an
accessTokenUrl property which is used for the same purpose. This patch
implements this property in termes of the base tokenUrl property. The
follow-up commit will deprecate the QOAuth2AuthorizationCodeFlow
property and mark it for removal in Qt 7.
There were no tests for the accessTokenUrl property and the related
signal, so create a new test that checks both old and new properties.
[ChangeLog][QAbstractOAuth2] Added tokenUrl property that holds the
token endpoint URL.
Task-number: QTBUG-132106
Pick-to: 6.9
Change-Id: I4e680e1013093041dcd3fa4f06e24b83cec83fc3
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initially the slot was returning bool, but the similar slot in
QOAuth2AuthorizationCodeFlow has a void return type.
This patch adjusts the return type of QOAuth2AuthorizationCodeFlow's
version to void as well. That is done for consistency, and with a
potential future refactoring in mind.
The errors that can occur during the execution of the slot, are
already reported by the requestFailed() signal, so adjust the tests
to check this signal instead of the return value.
Amends 164e2d897fb7c3a60b518985774a4faa360ba2c9.
Pick-to: 6.9
Change-Id: I0529ee354fe884b93d0ad9bb0f5eaa810ca7fcd1
Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Detect case where refresh threshold is larger than token lifetime
- Distinguish between client-side and server-side refresh timer
updates in order to handle timeouts appropriately. An immediate
refresh should only occur if initiated by client-side, in which
case it happens only once (after that, the next update is
initiated by server-side)
- Minimum timeout value to avoid unthrottled refresh loop in case
of a server misconfiguration
- Simplify auto test cases by combining the two cases into a single
data-driven case
- Single out two corner-case autotests
Pick-to: 6.9
Change-Id: Ia538e8b308564dc6f3e42103d72e724bbf226b69
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add automatic token refresh for expiring tokens in
Device Flow class, if a refresh token is available.
This functionality, previously implemented in
Authorization Code Flow class, has now been extended
to Device Flow following its merge.
Add additional check for QOAuth2AuthorizationCodeFlow
preventing unintened automatic refresh attempts.
Pick-to: 6.9
Task-number: QTBUG-130844
Change-Id: I175abd0769d60d5440a3e84dc57d6f3d00193e41
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Amends: 164e2d897fb7c3a60b518985774a4faa360ba2c9
Pick-to: 6.9
Change-Id: I1018f75c58614d6dd17c64f648514596eb2d6f53
Reviewed-by: Magdalena Stojek <magdalena.stojek@qt.io>
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Making them inline prevents violating ODR (C++17).
- Making them constexpr makes initialization compile-time.
- Making them L1 makes them a bit lighter.
- Renaming them as QtOAuth2RfcKeywords makes the purpose clear
at a glance.
- Keeping declaration/definition in one place makes code easier
to follow.
- Moving outside of QAbstractOAuth2Private class removes the need
for "using Key = QAbstractOAuth2Private::OAuth2KeyString"
Change-Id: I9a6ecc579c95ab26e3941bfe90a5ce04f123fd38
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The signal error() was deprecated and superseded by errorOccurred().
However the original error() signal is a signal that reports
only a specific subset of all errors (as defined by RFC 6749 5.2).
Notably errors such as application errors, network errors,
or actual server misbehaviours are not included.
The errorOccurred() should, in keeping with other Qt APIs,
be used for more general-purpose catch-all error reporting to
facilitate centralized error handling.
Amends: 5b2fca1e93474686167eeada59eae56d7856d23c
[ChangeLog][QAbstractOAuth2] The error signal is now deprecated and
replaced by serverReportedErrorOccurred.
Change-Id: Icb81f6b24c484f79d04c09f1ec3a8d63da24b953
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently added ability to modify token requests is also applicable to
the new 'device flow' class's authorization requests *), so not just
about token requests. Hence abstract the name to concern network
requests. This should also be more future proof in case adding new
flows in the future.
*) The pre-existing QOAuth2AuthorizationCodeFlow class
does the authorization with browser/user-agent interaction, whereas
with device flow it's done with a HTTP POST request/response.
Amends: 235f475c560224295facb5473034e6d4d0188c95
Change-Id: If4d470bc5660d8cc8ef51abe8533c02134e72305
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
|
|
|
RFC 8628 OAuth 2.0 Device Authorization Grant defines an
OAuth2 flow that is suitable for connected but input- or
user-agent limited devices. These include devices such as
televisions, game consoles, IoT devices, and others.
This commit adds support for this flow by introducing
a new QOAuth2DeviceAuthorizationFlow class.
[ChangeLog][OAuth2] Added new QOAuth2DeviceAuthorizationFlow
class that implements support for OAuth2 device authorization
grant.
Task-number: QTBUG-130611
Change-Id: Ie75baabe2bde8f61557d910b9623d4cc54e97ebb
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: Magdalena Stojek <magdalena.stojek@qt.io>
Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
|
