From 749c8275ac15481539e76eb1abe9f2724e76c8dd Mon Sep 17 00:00:00 2001
From: Marcos Prieto <marcospri@gmail.com>
Date: Mon, 29 Apr 2024 12:13:47 +0200
Subject: [PATCH] Explicitly list the authorization routes that use a query
 parameter

While a bit more verbose it's more explicit and more "grep-able" while
looking for code related to one particular route.
---
 lms/security.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lms/security.py b/lms/security.py
index 01ddd985f5..bb6e9bd771 100644
--- a/lms/security.py
+++ b/lms/security.py
@@ -127,7 +127,12 @@ def get_policy(request: Request):
             # LTIUser serialized in the state param for the oauth flow
             return OAuthCallbackLTIUserPolicy()
 
-        if (path.startswith("/api") and path.endswith("authorize")) or path in {
+        if path in {
+            # LTUser serialized as query param for authorization failures
+            "/api/d2l/oauth/authorize",
+            "/api/blackboard/oauth/authorize",
+            "/api/canvas/oauth/authorize",
+            "/api/canvas_studio/oauth/authorize",
             # To fetch pages content from LMSes' APIs
             "/api/canvas/pages/proxy",
             "/api/moodle/pages/proxy",