phorge-phorge/resources/sql/patches/112.oauthaccesscoderedirecturi.sql

ALTER TABLE `{$NAMESPACE}_oauth_server`.`oauth_server_oauthserverauthorizationcode`
  ADD `redirectURI` varchar(255) NOT NULL
SQL Patch Management: SQL Changes Summary: Splits out the SQL changes. These are most of the changes, but primarily mechanical: - Moved "initialize.sql" to "0000.legacy.sql" and partially reverted to an older version, such that patches 0000 + 000 + 001 + ... + 137 put us in the right state when applied sequentially. - Removed "create database" commands from all SQL. These are handled by separate DB patches now, so we have the data to do operations like "storage databases" (list databases) and "storage destroy" (drop databases). - Removed "phabricator_" namespace from all SQL, and replaced with "{$NAMESPACE}_" token so we can namespace databases. - Shortened some column lengths so patches apply correctly if originally created as InnoDB; also a few similar tweaks elsewhere. Test Plan: See D2323 for discussion and test plan. Reviewers: edward, vrana, btrahan, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T140, T345 Differential Revision: https://secure.phabricator.com/D2329 2012-04-30 16:53:53 +02:00			ALTER TABLE `{$NAMESPACE}_oauth_server`.`oauth_server_oauthserverauthorizationcode`
OAuthServer polish and random sauce Summary: This diff makes the OAuthServer more compliant with the spec by - making it return well-formatted error codes with error types from the spec. - making it respect the "state" variable, which is a transparent variable the client passes and the server passes back - making it be super, duper compliant with respect to redirect uris -- if specified in authorization step, check if its valid relative to the client registered URI and if so save it -- if specified in authorization step, check if its been specified in the access step and error if it doesn't match or doesn't exist -- note we don't make any use of it in the access step which seems strange but hey, that's what the spec says! This diff makes the OAuthServer suck less by - making the "cancel" button do something in the user authorization flow - making the client list view and client edit view be a bit more usable around client secrets - fixing a few bugs I managed to introduce along the way Test Plan: - create a test phabricator client, updated my conf, and then linked and unlinked phabricator to itself - wrote some tests for PhabricatorOAuthServer -- they pass! -- these validate the various validate URI checks - tried a few important authorization calls -- http://phabricator.dev/oauthserver/auth/?client_id=X&state=test&redirect_uri=http://www.evil.com --- verified error'd from mismatching redirect uri's --- verified state parameter in response --- verified did not redirect to client redirect uri -- http://phabricator.dev/oauthserver/auth/?client_id=X w/ existing authorization --- got redirected to proper client url with error that response_type not specified -- http://phabricator.dev/oauthserver/auth/?client_id=X&response_type=code w/ existing authorization --- got redirected to proper client url with pertinent code! - tried a few important access calls -- verified appropriate errors if missing any required parameters -- verified good access code with appropriate other variables resulted in an access token - verified that if redirect_uri set correctly in authorization required for access and errors if differs at all / only succeeds if exactly the same Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, ajtrichards Maniphest Tasks: T889, T906, T897 Differential Revision: https://secure.phabricator.com/D1727 2012-03-01 23:46:18 +01:00			ADD `redirectURI` varchar(255) NOT NULL