From 5a9e543087da3cab2afad754e1e603cbb448851e Mon Sep 17 00:00:00 2001
From: Paulus Schoutsen <balloob@gmail.com>
Date: Sat, 28 Dec 2019 21:20:18 +0100
Subject: [PATCH] Whitelist Android/iOS auth callbacks (#30082)

* Whitelist Android/iOS

* Add iOS alternate flavor URLs

* Update indieauth.py

Co-authored-by: Robbie Trencheny <me@robbiet.us>
---
 homeassistant/components/auth/indieauth.py |  8 ++++++++
 tests/components/auth/test_indieauth.py    | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/homeassistant/components/auth/indieauth.py b/homeassistant/components/auth/indieauth.py
index c845f230bf3..5915a4ec301 100644
--- a/homeassistant/components/auth/indieauth.py
+++ b/homeassistant/components/auth/indieauth.py
@@ -30,6 +30,14 @@ async def verify_redirect_uri(hass, client_id, redirect_uri):
     if is_valid:
         return True
 
+    # Whitelist the iOS and Android callbacks so that people can link apps
+    # without being connected to the internet.
+    if redirect_uri == "homeassistant://auth-callback" and client_id in (
+        "https://home-assistant.io/android",
+        "https://home-assistant.io/iOS",
+    ):
+        return True
+
     # IndieAuth 4.2.2 allows for redirect_uri to be on different domain
     # but needs to be specified in link tag when fetching `client_id`.
     redirect_uris = await fetch_redirect_uris(hass, client_id)
diff --git a/tests/components/auth/test_indieauth.py b/tests/components/auth/test_indieauth.py
index 8cfb573939e..ce8edae1466 100644
--- a/tests/components/auth/test_indieauth.py
+++ b/tests/components/auth/test_indieauth.py
@@ -166,3 +166,24 @@ async def test_find_link_tag_max_size(hass, mock_session):
     redirect_uris = await indieauth.fetch_redirect_uris(hass, "http://127.0.0.1:8000")
 
     assert redirect_uris == ["http://127.0.0.1:8000/wine"]
+
+
+@pytest.mark.parametrize(
+    "client_id", ["https://home-assistant.io/android", "https://home-assistant.io/iOS"]
+)
+async def test_verify_redirect_uri_android_ios(client_id):
+    """Test that we verify redirect uri correctly for Android/iOS."""
+    with patch.object(
+        indieauth, "fetch_redirect_uris", side_effect=lambda *_: mock_coro([])
+    ):
+        assert await indieauth.verify_redirect_uri(
+            None, client_id, "homeassistant://auth-callback"
+        )
+
+        assert not await indieauth.verify_redirect_uri(
+            None, client_id, "homeassistant://something-else"
+        )
+
+        assert not await indieauth.verify_redirect_uri(
+            None, "https://incorrect.com", "homeassistant://auth-callback"
+        )
-- 
GitLab