From fa0dfd812c76e7689ccc8e0d974f61895f870494 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joris=20Pelgr=C3=B6m?= <jpelgrom@users.noreply.github.com>
Date: Tue, 30 Aug 2022 03:52:10 +0200
Subject: [PATCH] Update allowlisted OAuth redirect URIs for Wear OS (#77411)

---
 homeassistant/components/auth/indieauth.py | 12 +++++++++---
 tests/components/auth/test_indieauth.py    | 13 +++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/homeassistant/components/auth/indieauth.py b/homeassistant/components/auth/indieauth.py
index fc4c298ca6c..478f7ab2831 100644
--- a/homeassistant/components/auth/indieauth.py
+++ b/homeassistant/components/auth/indieauth.py
@@ -38,9 +38,15 @@ async def verify_redirect_uri(
 
     # Whitelist the iOS and Android callbacks so that people can link apps
     # without being connected to the internet.
-    if redirect_uri == "homeassistant://auth-callback" and client_id in (
-        "https://home-assistant.io/android",
-        "https://home-assistant.io/iOS",
+    if (
+        client_id == "https://home-assistant.io/iOS"
+        and redirect_uri == "homeassistant://auth-callback"
+    ):
+        return True
+
+    if client_id == "https://home-assistant.io/android" and redirect_uri in (
+        "homeassistant://auth-callback",
+        "https://wear.googleapis.com/3p_auth/io.homeassistant.companion.android",
     ):
         return True
 
diff --git a/tests/components/auth/test_indieauth.py b/tests/components/auth/test_indieauth.py
index 4cf7402725d..17d1fa927a0 100644
--- a/tests/components/auth/test_indieauth.py
+++ b/tests/components/auth/test_indieauth.py
@@ -183,3 +183,16 @@ async def test_verify_redirect_uri_android_ios(client_id):
         assert not await indieauth.verify_redirect_uri(
             None, "https://incorrect.com", "homeassistant://auth-callback"
         )
+
+        if client_id == "https://home-assistant.io/android":
+            assert await indieauth.verify_redirect_uri(
+                None,
+                client_id,
+                "https://wear.googleapis.com/3p_auth/io.homeassistant.companion.android",
+            )
+        else:
+            assert not await indieauth.verify_redirect_uri(
+                None,
+                client_id,
+                "https://wear.googleapis.com/3p_auth/io.homeassistant.companion.android",
+            )