summaryrefslogtreecommitdiffstats
path: root/src/oauth/qoauthhttpserverreplyhandler.cpp
Commit message (Collapse)AuthorAgeFilesLines
* Mark security critical filesJuha Vuolle2025-04-231-0/+1
| | | | | | | | | | | | | | Most cpp files in this module are security critical, as this module implements network interfacing authorization protocols. Headers in this module are not marked as they are trivial. Fixes: QTBUG-135564 Pick-to: 6.9 6.8 Change-Id: I97d8079296a98099955d3fe63434279599911a5e Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
* QtNetworkAuth: simplify QT_NO_HTTP checksIvan Solovev2025-01-091-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The module cannot be built without HTTP support, so each and every file had an `#ifndef QT_NO_HTTP` check. However, commit d49f744968a237b751f0e520f8a9fff59dc283f5 already disabled the module build at the toplevel CMakeLists.txt file if the relevant feature is not found. As a result, we can drop the checks from the private headers and the .cpp files and also remove the QtNetwork/qtnetwork-config.h includes that were added in order to provide access to QT_NO_HTTP definition. This patch still keeps the QT_NO_HTTP check on public headers, because it allows the user code like: #include <QOAuth1> // unconditionally ... #ifndef QT_NO_HTTP QOAuth1 oauth; // use oauth #endif // QT_NO_HTTP Pick-to: 6.9 6.8 6.5 Change-Id: I517aa1da90ed53a5fc013d28530aa1d41a946a79 Reviewed-by: Juha Vuolle <juha.vuolle@qt.io> Reviewed-by: Marc Mutz <marc.mutz@qt.io> Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
* Get rid of QPair and mark the module as QPair freeIvan Solovev2024-12-191-1/+1
| | | | | | | | | | Amends 8e5e1012f9a9a9f01a12f631a3ed34570b6a4c5c which only cleaned up the public headers. Task-number: QTBUG-115841 Pick-to: 6.9 6.8 Change-Id: I16399e3ced49b91134e68c351f190720f88c3044 Reviewed-by: Juha Vuolle <juha.vuolle@qt.io>
* Forward declare QSslConfigurationJuha Vuolle2024-12-171-0/+1
| | | | | | | | | | | Since the header only crefs the QSslConfiguration. Resulted from API review. Pick-to: 6.9 Change-Id: Ie22eb92ea80beceb26f3bce9a461bd156cef22ad Reviewed-by: Ivan Solovev <ivan.solovev@qt.io> Reviewed-by: Magdalena Stojek <magdalena.stojek@qt.io>
* Add a method to manually define http callback hostnameJuha Vuolle2024-12-041-1/+45
| | | | | | | | | | | | | | | This allows setting an arbitrary hostname in case 'localhost' or IP literal are not preferable: http://localhost:1234/cb // pre-existing http://127.0.0.1:1234/cb // pre-existing http://my.localnet:1234/cb // new, possible with this commit [ChangeLog][QOAuthHttpServerReplyHandler] Added new API for manually specifying the callback/redirect_uri hostname Task-number: QTBUG-130159 Change-Id: I0d218fc43ea0dec35383c03b313c7f9d5f0f8593 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
* Improve callback/redirect_uri hostname settingJuha Vuolle2024-12-041-18/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Setting hostname part of redirect uri (callback) is important part to get correct, because authorization servers often expect a verbatim match between what has been registered, and what is sent as part of authorization request. This commit clarifies and improves specifying the hostname part. Historically the callback host was fixed to "127.0.0.1" which has its drawbacks (and can be outright wrong). The situation was later improved by using "localhost" hostname, which correctly maps to both IPv4 and IPv6 interfaces. However, there are authorization servers which require the use of IP literals, and reject "localhost". To address these issues, this commit consists of: - Map Any, AnyIPv4, and AnyIPv6 to "localhost". This mapping is logical because "localhost" will work then independent of what the actual used address is - Map IPv4 and IPv6 loopback addresses (LocalHost, LocalHostIPv6) to their IP literals 127.0.0.1 and ::1 These are well-known IP literal addresses, and mapping them to "localhost" does not bring an advantage - If user has provided a string literal, use that directly - Change default address to "LocalHost", which maps to hostname "127.0.0.1". This, in part, undoes the changed behavior where the default changed to "localhost". With this change, users that don't define callback address shouldn't notice a difference to the very original behavior All in all these changes should improve the compatibility with various authorization servers and provide more flexibility to users. Amends: fd49b7f6543e7b49be7847624c64ee86c4272ccd Amends: 4e03167088181bf513adcfb8aac93fb8efb3f420 [ChangeLog][QOAuthHttpServerReplyHandler] Changed and clarified callback hostname handling (especially localhost vs. 127.0.0.1) Pick-to: 6.8 Fixes: QTBUG-130159 Change-Id: I25dfb996d10f95fe60bdb4f46ea848edcb2528be Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
* Add https support to QOAuthHttpServerReplyHandlerJuha Vuolle2024-11-141-23/+131
| | | | | | | | | [ChangeLog][QOAuthHttpServerReplyHandler] Added support for https localhost server Fixes: QTBUG-64615 Change-Id: Ic28c74bb382642077e791ea1e6cd0b3ed9ee2264 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
* Document Qt WebEngine usage as OAuth2 user-agentJuha Vuolle2024-10-081-1/+3
| | | | | | | | | | | | | While system browser is the recommended user-agent for OAuth2 flows on native applications, there are also sometimes reasons to use an embedded user-agent (Qt WebEngine). This task documents the main considerations and practical guidance for using Qt WebEngine with Qt OAuth2. Fixes: QTBUG-127839 Change-Id: Ia7959cfab0b02b76dbaa8b23ea11bdccc667c333 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* Emit callbackDataReceived signalJuha Vuolle2024-07-221-0/+2
| | | | | | | | | | | The signal is documented but not emitted. [ChangeLog][QAbstractOAuthReplyHandler] Replyhandlers emit the callbackDataReceived() signal prior to parsing the data, as documented. Fixes: QTBUG-85377 Change-Id: I9f7d68b8174732cbbe617ce80301d07ee741f5b4 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* Cache callback value / redirect_uri for later useJuha Vuolle2024-05-231-21/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to 'RFC 8252 Section 8.3' the loopback listening should be closed after receiving authorization response. There were however two things preventing application developers from doing this: 1) The callback (aka redirect_uri) is needed in the subsequent access token request (note: listening is not needed anymore). 2) The callback (aka redirect_uri) is currently used also in refresh token request (this is unnecessary though, and should be removed in a follow-up commit). But the problem for these two was that the QOAuthHttpServerReplyHandler::callback() code asserted (debug) or just returned a wrong value (release) if the handler wasn't listening. This made it unfeasible to close the handler in a timely manner. With this commit the callback/redirect_uri is cached, and consequently the handler can be closed immediately after authorization. Pick-to: 6.7 6.5 6.2 Fixes: QTBUG-124333 Change-Id: I063637029908ed4fa0390a0cb07511c92bd51874 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* Remove unused includesJuha Vuolle2024-05-221-3/+0
| | | | | Change-Id: I96d358ae0b8696c121fbf17e19acbd07d5e7b655 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
* Document QOAuthHttpServerReplyHandlerJuha Vuolle2024-05-221-0/+147
| | | | | | | | | | | | | | QOAuthHttpServerReplyHandler was introduced in Qt 5.8, when qtnetworkauth module itself was introduced. It is used by the Reddit example application, and is exported as a public API which people use. This commit documents the class. Pick-to: 6.7 Fixes: QTBUG-124325 Change-Id: I23acca2482938cbdbce9a41210bff12e76de8036 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
* QOAuthHttpServerReplyHandler: avoid triple QMap lookup foe new clientsThiago Macieira2024-05-131-3/+7
| | | | | | | | | | | 1. contains() 2. operator[] 3. operator[] again Pick-to: 6.7 Change-Id: Ie30a3caf09ef4176bb36fffd17cdb82d41839303 Reviewed-by: Jesus Fernandez <jsfdez@gmail.com> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* QOAuthHttpServerReplyHandler: don't use <ctype.h>Thiago Macieira2024-05-131-2/+2
| | | | | | | | | | | | It's locale-dependent and slow. Just use our own ascii_is_space(). I don't think the HTTP spec allows any other space than 0x20, but that's not the problem here. Pick-to: 6.7 Change-Id: Ie30a3caf09ef4176bb36fffd17cdb50d8b32b6f3 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
* QOAuthHttpServerReplyHandler: bind by default to localhost, not AnyThiago Macieira2024-05-131-2/+8
| | | | | | | | | That way, this simple HTTP server cannot be reached from the network. Pick-to: 6.7 Change-Id: Ie30a3caf09ef4176bb36fffd17cd9c1b9c18ddaf Reviewed-by: Jesus Fernandez <jsfdez@gmail.com> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* QOAuthHttpServerReplyHandler: make callback() return an encoded URLThiago Macieira2024-05-131-1/+2
| | | | | | | | | | We don't know where the user is going to use it, so we should probably provide a properly-encoded URL. Pick-to: 6.7 Change-Id: Ie30a3caf09ef4176bb36fffd17cd9cae7f3dbe7c Reviewed-by: Jesus Fernandez <jsfdez@gmail.com> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* QOAuthHttpServerReplyHandler: don't assume the server is localhostThiago Macieira2024-05-131-1/+8
| | | | | | | | | | | | | The constructors allow passing a different address than 127.0.0.1, so get the address we did bind to from the QTcpServer and use that in constructing the URL. Additionally, use QUrl to construct the URL, instead of doing string concatenation. This ensures we do get a proper URL. Pick-to: 6.7 Change-Id: Ie30a3caf09ef4176bb36fffd17cd9c921a2fc8c6 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* QOAuthHttpServerReplyHandler: fix parsing of parsed URIsThiago Macieira2024-05-131-18/+21
| | | | | | | | | | | Instead of constructing it via strings, just let QUrl parse it because it will do so properly. This fixes the incorrect handling of URIs requested that are a prefix to the URL we want to handle. Pick-to: 6.7 Change-Id: Ie30a3caf09ef4176bb36fffd17cdb59a516441aa Reviewed-by: Jesus Fernandez <jsfdez@gmail.com> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* Build with QT_NO_CONTEXTLESS_CONNECTAhmad Samir2023-07-121-2/+2
| | | | | | | | | | | This disables the 3-arg QObject::connect() overload: QObject::connect(sender, signal, functor) For details see: https://lists.qt-project.org/pipermail/development/2023-July/044141.html Change-Id: If6e8d202b114d053933fc1dcab5b99377c67a879 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* Use SPDX license identifiersLucie Gérard2022-06-161-28/+2
| | | | | | | | | | | Replace the current license disclaimer in files by a SPDX-License-Identifier. License files are organized under LICENSES directory. Pick-to: 6.4 Task-number: QTBUG-67283 Change-Id: Ic012e87171ed4cef6871eff7d76f56994ea3ca1f Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
* wasm: Work around compilation failures when FEATURE_http=OFFAlexandru Croitor2021-04-271-0/+2
| | | | | | | | | | | | | | | | | | | | | | Some of the header and source files incorrectly check for QT_NO_HTTP without including the necessary QtNetwork/qtnetwork-config.h header. Because CMake's AUTOGEN still runs moc on those files and then includes them into mocs_compilation.cpp, this causes compilation failures. Work around the compilation failures by including the moc files directly in the respective cpp files. Note that this ensures archiving works in a static build, but results in a an unusable library. This was the case for Qt 5.15 as well. A follow up change will be done to clean up this state, but for now this change unblocks adding the WebAssembly platform into CI. Task-number: QTBUG-78647 Task-number: QTBUG-93243 Change-Id: I9b6657d5ae539fdb09a741637cc5a19e652c9272 Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
* Http reply handler: various clean-upMårten Nordheim2020-11-021-5/+11
| | | | | | | | | | | | | Just various changes I noticed could be made while I was looking into a bugreport. The socket->read(1) creates a QByteArray each time, let's just read one char. Use QByteArray::number instead of QString::number().toUtf8 Change-Id: I0c508fee0c350a76fc9e0d6ea6db5379a4075ab1 Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
* Silence warning about deprecated codeAndy Shaw2020-06-221-1/+1
| | | | | Change-Id: I69b2e29b47144b5c72ea3828840bbd5d01ea7c37 Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
* Use 127.0.0.1 for redirect URISamuel Gaist2018-11-221-2/+2
| | | | | | | | | | | | | Following section 8.3 of RFC 8252 (https://tools.ietf.org/html/rfc8252#section-8.3), it is specifically not recommended to use localhost but 127.0.0.1. This patch fixes that. [ChangeLog][General] Use 127.0.0.1 in place of localhost for redirect URI following RFC 8252. Fixes: QTBUG-67528 Change-Id: I6f5a8dd26134cde2373185eaf2c8853d6f500e98 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
* Fix compilation when QT_NO_HTTP is definedv5.12.0-beta4v5.12.0-beta3v5.12.0-beta2Eskil Abrahamsen Blomfeldt2018-10-091-0/+2
| | | | | | | | The feature macros are defined in a header, so it has to be included first. Change-Id: I3ed7c4978cb9cdde23ed37d0e963a24a6b07f335 Reviewed-by: Jesus Fernandez <Jesus.Fernandez@qt.io>
* Move logging category to private headerv5.10.0-beta1Friedemann Kleint2017-09-261-0/+1
| | | | | | | | | | | Logging categories are not public API and throw off qdoc, causing: qtnetworkauth/src/oauth/qabstractoauth.cpp:492: warning: Can't link to 'QAbstractOAuthReplyHandler' Amends 43634a54376c55ff78521ea9a063f4cab984d871. Change-Id: I730a39f14ee93d63a5d37271a79ea75b022e3ec5 Reviewed-by: Jesus Fernandez <Jesus.Fernandez@qt.io>
* Merge remote-tracking branch 'origin/5.9' into devLiang Qi2017-08-221-3/+3
|\ | | | | | | | | | | | | | | | | | | Conflicts: .qmake.conf src/oauth/qabstractoauth.cpp tests/auto/oauth1/tst_oauth1.cpp Done-with: Jesus Fernandez<jesus.fernandez@qt.io> Change-Id: I5be2c6ad2cd00943ee3acafe5b5c693fc4ada03c
| * Bump copyright yearJesus Fernandez2017-07-121-1/+1
| | | | | | | | | | Change-Id: Iaad9fb2096cd01a762c3eace90c6154b0d0ebe59 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
| * Replace std::bind with lambdasThiago Macieira2017-06-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They don't compile with Clang 5.0 + libstdc++ from GCC 7. I didn't care to investigate why. functional:841:7: error: static_assert failed "Wrong number of arguments for pointer-to-member" [...] qoauth2authorizationcodeflow.cpp:340:13: note: while substituting deduced template arguments into function template 'bind' [with _Func = void (QAbstractOAuthReplyHandler::*)(QNetworkReply *), _BoundArgs = <QAbstractOAuthReplyHandler *, QNetworkReply *>] Change-Id: Ia53158e207a94bf49489fffd14c791ec1aaa707d Reviewed-by: Jesus Fernandez <Jesus.Fernandez@qt.io> Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
* | Use QLoggingCategory in QtNetworkAuthJesus Fernandez2017-06-201-14/+10
|/ | | | | | | | It allows filtering the debug messages in runtime using the QLoggingCategory system. Change-Id: Ib6790455ad856ccbc20e34f0a84a07cf5240f62e Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
* Let the users change the path for the callback-url5.8Mårten Nordheim2017-04-101-2/+20
| | | | | | Task-number: QTBUG-59653 Change-Id: I4bf938db2db3624c37b7f1a8d598bfa43052e2e0 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
* Fix HTML response when using multibyte charactersJesus Fernandez2017-03-291-6/+6
| | | | | | | | | | | | | | Report correct Content-Length even when multibyte characters are passed to the QOAuthHttpServerReplyHandler::setCallbackText() function. Previously the length of a QString was used, that would be less than the length of the UTF-8 encoding of it that was the actual content. Task-number: QTBUG-59725 Change-Id: I1536b636027f81bb234969051a8fc9d88e506f8c Reviewed-by: Edward Welbourne <edward.welbourne@qt.io> Reviewed-by: Jesus Fernandez <Jesus.Fernandez@qt.io>
* Modify licensev5.8.0-rc1v5.8.0Jesus Fernandez2016-12-071-16/+6
| | | | | | | Change-Id: I40cc53ee24ad71a1293dc3b635b2cb545d29a686 Reviewed-by: Lars Knoll <lars.knoll@qt.io> Reviewed-by: Tuukka Turunen <tuukka.turunen@theqtcompany.com> Reviewed-by: Fredrik de Vibe <fredrik.devibe@qt.io>
* Integration fixJesus Fernandez2016-08-221-1/+1
| | | | | | | | | Variable initialization to avoid clang complains. The OAuth1 is marked as insignificant because it uses an external server. This test needs a rewrite. Change-Id: I195bf955414ccff04b7d262249e869bec7059531 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
* OAuth supportJesus Fernandez2016-08-191-0/+329
New library to support OAuth1 and OAuth2 standard in Qt. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections. [ChangeLog][OAuth] Added OAuth support Change-Id: I3971456f93bf6ddd7fd46f555202bab2eb777c15 Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-16 19:47:11 +0000