Don't include kwargs of request() in the body of auto refresh request

Extra key-value pairs of the request body should be supplied using the dedicated `auto_refresh_kwargs` attribute of the session object. Meanwhile, several common parameters of request() and refresh_token() are propagated to the latter, since, otherwise, auto refresh request might end up without some critical connection parameters such as proxy mapping.
requests · May 2, 2017 · dc57b27 · dc57b27
1 parent f98e7bd
commit dc57b27
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/requests_oauthlib/oauth2_session.py b/requests_oauthlib/oauth2_session.py
@@ -339,8 +339,10 @@ def request(self, method, url, data=None, headers=None, withhold_token=False,
                     if client_id and client_secret and (auth is None):
                         log.debug('Encoding client_id "%s" with client_secret as Basic auth credentials.', client_id)
                         auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
+                    refresh_kwargs = {name: kwargs[name] for name in kwargs
+                                      if name in ('timeout', 'verify', 'proxies')}
                     token = self.refresh_token(
-                        self.auto_refresh_url, auth=auth, **kwargs
+                        self.auto_refresh_url, auth=auth, **refresh_kwargs
                     )
                     if self.token_updater:
                         log.debug('Updating token to %s using %s.',

diff --git a/tests/test_oauth2_session.py b/tests/test_oauth2_session.py
@@ -6,7 +6,7 @@
 from copy import deepcopy
 from unittest import TestCase
 
-from oauthlib.common import urlencode
+from oauthlib.common import urlencode, urldecode
 from oauthlib.oauth2 import TokenExpiredError, OAuth2Error
 from oauthlib.oauth2 import MismatchingStateError
 from oauthlib.oauth2 import WebApplicationClient, MobileApplicationClient
@@ -133,6 +133,29 @@ def fake_refresh_with_auth(r, **kwargs):
             auth.send = fake_refresh_with_auth
             auth.get('https://i.b', client_id='foo', client_secret='bar')
 
+        def fake_refresh_check_body_and_connection_params(r, **kwargs):
+            if "/refresh" in r.url:
+                self.assertEqual('proxy.b', kwargs['proxies']['https'])
+                data = dict(urldecode(r.body))
+                self.assertDictEqual({
+                    'grant_type': 'refresh_token',
+                    'refresh_token': 'sldvafkjw34509s8dfsdf',
+                    'extra': 'spam'
+                }, data)
+
+            resp = mock.MagicMock()
+            resp.text = json.dumps(self.token)
+            return resp
+
+        for client in self.clients:
+            auth = OAuth2Session(client=client, token=self.expired_token,
+                                 auto_refresh_url='https://i.b/refresh',
+                                 token_updater=token_updater,
+                                 auto_refresh_kwargs={'extra': 'spam'})
+            auth.send = fake_refresh_check_body_and_connection_params
+            # Also allow_redirects=True is included by requests.Session.get()
+            auth.get('https://i.b', params={'foo': 'bar'}, proxies={'https': 'proxy.b'})
+
     @mock.patch("time.time", new=lambda: fake_time)
     def test_token_from_fragment(self):
         mobile = MobileApplicationClient(self.client_id)