authorize_access_token doesn't raise MissingCodeException when code parameter missing
Describe the bug
authorize_access_token assigns params["code"] to None when the request parameter code is missing. For example, the Flask integration:
| def authorize_access_token(self, **kwargs): | |
| """Fetch access token in one step. | |
| :return: A token dict. | |
| """ | |
| if request.method == "GET": | |
| error = request.args.get("error") | |
| if error: | |
| description = request.args.get("error_description") | |
| raise OAuthError(error=error, description=description) | |
| params = { | |
| "code": request.args.get("code"), | |
| "state": request.args.get("state"), | |
| } | |
| else: | |
| params = { | |
| "code": request.form.get("code"), | |
| "state": request.form.get("state"), | |
| } |
This means that it then bypasses the check in prepare_token_request as the key is present:
| if grant_type == "authorization_code" and "code" not in kwargs: | |
| raise MissingCodeException() |
This appears to apply to Django and Starlette integration too.
Error Stacks
No error is raised.
To Reproduce
The authorize route example when the code query string parameter is missing:
token = oauth.twitter.authorize_access_token()
Expected behavior
MissingCodeException is raised.
Environment:
- OS: Ubuntu 22.04.5
- Python Version: 3.13.5
- Authlib Version: 1.6.0
Additional context
N/A