The following test is based on a cookie set by Okta, a well-known authorization service. It turns out that it's common practice to set cookies that would be invalid according to the spec.
(test_client_factory: TestClientFactory)
| 357 | |
| 358 | |
| 359 | def test_cookie_lenient_parsing(test_client_factory: TestClientFactory) -> None: |
| 360 | class="st">""" |
| 361 | The following test is based on a cookie set by Okta, a well-known authorization |
| 362 | service. It turns out that it&class="cm">#x27;s common practice to set cookies that would be |
| 363 | invalid according to the spec. |
| 364 | class="st">""" |
| 365 | tough_cookie = ( |
| 366 | class="st">"provider-oauth-nonce=validAsciiblabla; " |
| 367 | &class="cm">#x27;okta-oauth-redirect-params={class="st">"responseType":class="st">"code",class="st">"state":class="st">"somestate",' |
| 368 | &class="cm">#x27;class="st">"nonce":class="st">"somenonce",class="st">"scopes":[class="st">"openid",class="st">"profile",class="st">"email",class="st">"phone"],' |
| 369 | &class="cm">#x27;class="st">"urls":{class="st">"issuer":class="st">"https://subdomain.okta.com/oauth2/authServer",' |
| 370 | &class="cm">#x27;class="st">"authorizeUrl":class="st">"https://subdomain.okta.com/oauth2/authServer/v1/authorize",' |
| 371 | &class="cm">#x27;class="st">"userinfoUrl":class="st">"https://subdomain.okta.com/oauth2/authServer/v1/userinfo"}}; ' |
| 372 | class="st">"importantCookie=importantValue; sessionCookie=importantSessionValue" |
| 373 | ) |
| 374 | expected_keys = { |
| 375 | class="st">"importantCookie", |
| 376 | class="st">"okta-oauth-redirect-params", |
| 377 | class="st">"provider-oauth-nonce", |
| 378 | class="st">"sessionCookie", |
| 379 | } |
| 380 | |
| 381 | async def app(scope: Scope, receive: Receive, send: Send) -> None: |
| 382 | request = Request(scope, receive) |
| 383 | response = JSONResponse({class="st">"cookies": request.cookies}) |
| 384 | await response(scope, receive, send) |
| 385 | |
| 386 | client = test_client_factory(app) |
| 387 | response = client.get(class="st">"/", headers={class="st">"cookie": tough_cookie}) |
| 388 | result = response.json() |
| 389 | assert len(result[class="st">"cookies"]) == 4 |
| 390 | assert set(result[class="st">"cookies"].keys()) == expected_keys |
| 391 | |
| 392 | |
| 393 | class="cm"># These test cases copied from Tornado's implementation |
nothing calls this directly
no test coverage detected