added validation around code_challenge_method to reject non S256 values

.gitignore

@@ -100,4 +100,7 @@ test_report.txt
 .sass-cache*
 *.css.map
 .DS_Store
-static/bluebutton-css/dist
+static/bluebutton-css/dist
+
+/sdk-node
+/sdk-python

apps/authorization/tests/test_data_access_grant.py

@@ -35,7 +35,9 @@
 class TestDataAccessGrant(BaseApiTest):
     @staticmethod
     def _create_authorization_header(client_id, client_secret):
-        return 'Basic {0}'.format(base64.b64encode('{0}:{1}'.format(client_id, client_secret).encode('utf-8')).decode('utf-8'))
+        return 'Basic {0}'.format(
+            base64.b64encode('{0}:{1}'.format(client_id, client_secret).encode('utf-8')).decode('utf-8')
+        )
 
     def test_create_update_delete(self):
         # 1. Test create and default expiration_date
@@ -76,7 +78,9 @@ def test_create_update_delete(self):
         dag.delete()
 
         #     Verify it does exist and archived.
-        arch_dag = ArchivedDataAccessGrant.objects.get(beneficiary__username='test_beneficiary', application__name='test_app')
+        arch_dag = ArchivedDataAccessGrant.objects.get(
+            beneficiary__username='test_beneficiary', application__name='test_app'
+        )
 
         #    Verify expiration_date copied OK.
         self.assertEqual('2030-01-15 00:00:00+00:00', str(arch_dag.expiration_date))
@@ -190,6 +194,7 @@ def test_delete_authenticated_user_grant(self):
 
     def setup_test_application_with_user(self, test_user, application_name='an app'):
         redirect_uri = 'http://localhost'
+        code_challenge = 'sZrievZsrYqxdnu2NVD603EiYBM18CuzZpwB-pOSZjo'
         capability_a = self._create_capability('Capability A', [])
         capability_b = self._create_capability('Capability B', [])
         # create an application and add capabilities
@@ -207,6 +212,9 @@ def setup_test_application_with_user(self, test_user, application_name='an app')
             'client_id': application.client_id,
             'response_type': 'code',
             'redirect_uri': redirect_uri,
+            'state': '0123456789abcdef',
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
         }
         response = self.client.get('/v1/o/authorize', data=payload)
         # post the authorization form with only one scope selected
@@ -218,6 +226,8 @@ def setup_test_application_with_user(self, test_user, application_name='an app')
             'expires_in': 86400,
             'allow': True,
             'state': '0123456789abcdef',
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
         }
         response = self.client.post(response['Location'], data=payload)
         self.assertEqual(response.status_code, 302)
@@ -229,6 +239,7 @@ def setup_test_application_with_user(self, test_user, application_name='an app')
             'code': authorization_code,
             'redirect_uri': redirect_uri,
             'client_id': application.client_id,
+            'code_verifier': 'test123456789123456789123456789123456789123456789',
         }
         response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data)
         fhir_id = json.loads(response.content)['patient']
@@ -237,6 +248,7 @@ def setup_test_application_with_user(self, test_user, application_name='an app')
 
     def test_no_action_on_reapproval(self):
         redirect_uri = 'http://localhost'
+        code_challenge = 'sZrievZsrYqxdnu2NVD603EiYBM18CuzZpwB-pOSZjo'
 
         user = self._create_user('anna', '123456')
         application, fhir_id = self.setup_test_application_with_user(user)
@@ -248,6 +260,9 @@ def test_no_action_on_reapproval(self):
             'client_id': application.client_id,
             'response_type': 'code',
             'redirect_uri': redirect_uri,
+            'state': '0123456789abcdef',
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
         }
         response = self.client.get('/v1/o/authorize', data=payload)
         # post the authorization form with only one scope selected
@@ -259,6 +274,8 @@ def test_no_action_on_reapproval(self):
             'expires_in': 86400,
             'allow': True,
             'state': '0123456789abcdef',
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
         }
         response = self.client.post(response['Location'], data=payload)
 
@@ -271,6 +288,7 @@ def test_no_action_on_reapproval(self):
             'code': authorization_code,
             'redirect_uri': redirect_uri,
             'client_id': application.client_id,
+            'code_verifier': 'test123456789123456789123456789123456789123456789',
         }
         response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data)
         self.assertEqual(response.status_code, 200)
@@ -342,6 +360,7 @@ def test_permission_deny_on_app_or_org_disabled(self):
         to an application or applications under a user (organization)
         """
         redirect_uri = 'http://localhost'
+        code_challenge = 'sZrievZsrYqxdnu2NVD603EiYBM18CuzZpwB-pOSZjo'
         # create a user
         user = self._create_user('anna', '123456')
         capability_a = self._create_capability('Capability A', [])
@@ -363,6 +382,9 @@ def test_permission_deny_on_app_or_org_disabled(self):
             'client_id': application.client_id,
             'response_type': 'code',
             'redirect_uri': redirect_uri,
+            'state': '0123456789abcdef',
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
         }
         response = self.client.get('/v1/o/authorize', data=payload)
         payload = {
@@ -373,6 +395,8 @@ def test_permission_deny_on_app_or_org_disabled(self):
             'expires_in': 86400,
             'allow': True,
             'state': '0123456789abcdef',
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
         }
 
         response = self.client.post(response['Location'], data=payload)