81 refactor i uzupełnienie swaggera do metod auth

[JanekDr]

• Migracja klas: Wszystkie endpointy Solvro/USOS OAuth przeniesione na DRF APIView/AsyncAPIView dla poprawnego generowania schematu. Wszelkie opcje redirect korzystają z parametryzacji docelowych widoków klasowych.
• Opisy wejść/wyjść: Dodano dekoratory @extend_schema ze szczegółowym wykazem rzucanych kodów błędów (200, 302, 400, 401, 403, 404) dla każdej ścieżki JWT i OTP.
• Bugfix walidacji na OTP: Dodano authentication_classes = [] do publicznych widoków OTP i LoginLinkView. Eliminacja błędnych response 401 Unauthorized dla starych sesji.
• Wszystkie endpointy są dostępne w sekcji Authentication w dokumentacji.

In general, the safest approach is to ensure that any user-provided redirect URL is normalized and strictly validated before use. That means:

• Normalize input (strip whitespace, normalize backslashes, and lowercase schemes/hosts).
• Reject protocol-relative (//...) and backslash-prefixed (\\...) URLs.
• For non-absolute paths, only allow safe relative URLs.
• For absolute URLs, accept only http/https, and only when their origin is in ALLOWED_REDIRECT_ORIGINS, matches the current host, or matches a carefully defined preview pattern.
• Fall back to a safe default path when validation fails.

The current helper already aims to do this, but we can tighten and clarify it:

1. Normalize the input early:
   • Strip leading/trailing whitespace.
   • Replace \ with / before parsing, to avoid browser/backslash quirks.
2. Use a single urlparse call and re-use its result; avoid parsing different string variants.
3. Treat URLs without a scheme but with a netloc-like prefix (e.g., example.com/path) as unsafe, even though browsers can resolve them.
4. For relative URLs, rely on Django’s url_has_allowed_host_and_scheme with allowed_hosts={request.get_host(), *parsed allowlist hosts} and require_https as configured.
5. For absolute URLs, compare normalized origins (scheme://netloc lowercased and stripped of trailing slashes) against ALLOWED_REDIRECT_ORIGINS similarly normalized, and apply the preview regexes to that normalized origin.
6. Ensure that get_safe_redirect_url can still safely handle the "index" default and whatever URL pattern your code already uses there.

Concretely, we’ll modify:

• is_safe_redirect_url to:
  • Normalize backslashes to forward slashes before any startswith/urlparse operation.
  • Lowercase the scheme and host in comparisons.
  • Normalize ALLOWED_REDIRECT_ORIGINS to comparable origin strings.
  • Use a single urlparse result and reduce duplication.
• get_safe_redirect_url stays as is logically, but continues to rely on the improved is_safe_redirect_url; its fallback default remains unchanged to preserve behavior.

No changes are needed to the call site in UsosAuthorizeView; after the sanitizer is strengthened, redirect(redirect_url) will be safe.

---

[Antoni-Czaplicki]

@JanekDr co myślisz żeby zrobić helper safe_redirect który w sobie sprawdzi czy jest safe i jak coś to nadpisze?

[Antoni-Czaplicki]

i pamiętaj też żeby dać Resolve jak już jest komentarz ogarnięty

[JanekDr]

@JanekDr co myślisz żeby zrobić helper safe_redirect który w sobie sprawdzi czy jest safe i jak coś to nadpisze?

Myśle ze to dobry pomysł i uszczupli lekko kod w metodach auth dla usosa i solvro

[Copilot]

Pull request overview

Refactors the authentication-related OAuth and OTP endpoints in users to improve DRF Spectacular (Swagger/OpenAPI) schema generation, while tightening redirect safety checks and documenting request/response variants.

Changes:

• Migrates Solvro/USOS OAuth endpoints from function-based views to DRF APIView / adrf async API views.
• Expands @extend_schema documentation across JWT, OAuth, and OTP endpoints (params, examples, and response codes).
• Updates redirect safety logic and adds tests for DEBUG-dependent HTTP/HTTPS redirect handling; adds initial OAuth flow tests.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
users/views.py	New class-based OAuth endpoints, enhanced schema docs, updated redirect safety logic, and public OTP views made explicitly unauthenticated.
users/urls.py	Routes updated to point to the new class-based OAuth views.
users/tests/test_redirect_url.py	Adds DEBUG=True/False coverage for HTTP vs HTTPS redirect acceptance.
users/tests/test_oauth.py	Adds tests asserting callback URL composition and a mocked Solvro authorize flow.

Comments suppressed due to low confidence (1)

users/views.py:574

• Same add_query_params + view-name issue in the banned-user jwt=true branch: if redirect_url is the default view name, redirect(add_query_params(...)) can raise NoReverseMatch and return 500 instead of redirecting with an error.

            if request.GET.get("jwt", "false") == "true":
                auth_params = {"error": "user_banned"}
                if user.ban_reason:
                    auth_params["ban_reason"] = user.ban_reason
                return redirect(add_query_params(redirect_url, auth_params))

[Copilot]

redirect_url is allowed to be empty here (missing/blocked redirect param). In that case add_query_params(redirect_url, ...) will produce a string like ?error=..., and django.shortcuts.redirect() will raise NoReverseMatch because it treats it as a view name (no / or .). Consider falling back to a concrete URL/path (e.g., resolved index URL) when redirect_url is empty, or return a 400 response instead of attempting to redirect.

[Copilot]

Same issue as above: on the final retry, redirect_url may still be empty, and redirect(add_query_params(redirect_url, ...)) can crash with NoReverseMatch. Handle the empty/invalid redirect case explicitly before redirecting with query params.

[Copilot]

The OpenAPI schema advertises a 400 "Invalid redirect URL" response, but this view no longer returns 400 for an invalid redirect value (it gets replaced by the default in get_safe_redirect_url). Either reintroduce an explicit 400 for invalid redirects or remove/adjust the documented 400 so the schema matches runtime behavior.

Suggested change

400: OpenApiResponse(description="Invalid redirect URL."),

[Copilot]

In the jwt=true path, if redirect is missing/blocked then redirect_url falls back to the view name index. Calling add_query_params('index', ...) produces a string like index?error=no_email, and redirect() will raise NoReverseMatch (500) because it treats that as a view name. Ensure redirect_url is a real URL/path before appending query params (e.g., resolve the view name first or use a path default like /).

[Copilot]

These are API endpoint tests but they use django.test.TestCase + APIClient. Elsewhere in this repo, API tests consistently use rest_framework.test.APITestCase (e.g., users/tests/test_jwt.py, users/tests/test_guest.py), which provides better DRF integration and consistent helpers. Consider switching this test class to APITestCase for consistency.

Suggested change

	from django.test import TestCase, override_settings
	from django.urls import reverse
	from rest_framework.test import APIClient
	from users.models import User
	@override_settings(DEBUG=True)
	class SolvroOAuthTests(TestCase):
	def setUp(self):
	self.client = APIClient()
	from django.test import override_settings
	from django.urls import reverse
	from rest_framework.test import APITestCase
	from users.models import User
	@override_settings(DEBUG=True)
	class SolvroOAuthTests(APITestCase):