Add codespell support: config + workflow to catch new typos, let it fix some

.pre-commit-config.yaml

@@ -29,3 +29,11 @@ repos:
     rev: v0.9.1
     hooks:
       - id: sphinx-lint
+  # Configuration for codespell is in pyproject.toml
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.6
+    hooks:
+    - id: codespell
+      exclude: (package-lock.json|/locale/)
+      additional_dependencies:
+      - tomli

AUTHORS

@@ -110,4 +110,5 @@ Will Beaufoy
 pySilver
 Łukasz Skarżyński
 Wouter Klein Heerenbrink
+Yaroslav Halchenko
 Yuri Savin

CHANGELOG.md

@@ -31,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
-* #1249 Add code_challenge_methods_supported property to auto discovery informations, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
+* #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
 
 
 ### Fixed
@@ -144,7 +144,7 @@ This is a major release with **BREAKING** changes. Please make sure to review th
 
 ### Added
 * #969 Add batching of expired token deletions in `cleartokens` management command and `models.clear_expired()`
-  to improve performance for removal of large numers of expired tokens. Configure with
+  to improve performance for removal of large numbers of expired tokens. Configure with
   [`CLEAR_EXPIRED_TOKENS_BATCH_SIZE`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-size) and
   [`CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-interval).
 * #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a [periodic task](https://docs.celeryproject.org/en/stable/userguide/periodic-tasks.html).
@@ -229,7 +229,7 @@ This is a major release with **BREAKING** changes. Please make sure to review th
 
 ### Added
 * #917 Documentation improvement for Access Token expiration.
-* #916 (for DOT contributors) Added `tox -e livedocs` which launches a local web server on `locahost:8000`
+* #916 (for DOT contributors) Added `tox -e livedocs` which launches a local web server on `localhost:8000`
   to display Sphinx documentation with live updates as you edit.
 * #891 (for DOT contributors) Added [details](https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html)
   on how best to contribute to this project.
@@ -434,7 +434,7 @@ This is a major release with **BREAKING** changes. Please make sure to review th
 * #185: fixed vulnerabilities on Basic authentication
 * #173: ProtectResourceMixin now allows OPTIONS requests
 * Fixed `client_id` and `client_secret` characters set
-* #169: hide sensitive informations in error emails
+* #169: hide sensitive information in error emails
 * #161: extend search to all token types when revoking a token
 * #160: return empty response on successful token revocation
 * #157: skip authorization form with ``skip_authorization_completely`` class field

docs/getting_started.rst

@@ -111,7 +111,7 @@ Configure ``users.User`` to be the model used for the ``auth`` application by ad
 
     AUTH_USER_MODEL = 'users.User'
 
-Create inital migration for ``users`` application ``User`` model::
+Create initial migration for ``users`` application ``User`` model::
 
     python manage.py makemigrations
 

docs/oidc.rst

@@ -34,7 +34,7 @@ that must be provided. ``django-oauth-toolkit`` supports two different
 algorithms for signing JWT tokens, ``RS256``, which uses asymmetric RSA keys (a
 public key and a private key), and ``HS256``, which uses a symmetric key.
 
-It is preferrable to use ``RS256``, because this produces a token that can be
+It is preferable to use ``RS256``, because this produces a token that can be
 verified by anyone using the public key (which is made available and
 discoverable by OIDC service auto-discovery, included with
 ``django-oauth-toolkit``). ``HS256`` on the other hand uses the
@@ -372,7 +372,7 @@ for a POST request.
 
 Again, to modify the content delivered, we need to add a function to our
 custom validator. The default implementation adds the claims from the ID
-token, so you will probably want to re-use that::
+token, so you will probably want to reuse that::
 
     class CustomOAuth2Validator(OAuth2Validator):
 

docs/tutorial/tutorial_01.rst

@@ -82,7 +82,7 @@ Let's register your application.
 
 You need to be logged in before registration. So, go to http://localhost:8000/admin and log in. After that
 point your browser to http://localhost:8000/o/applications/ and add an Application instance.
-`Client id` and `Client Secret` are automatically generated; you have to provide the rest of the informations:
+`Client id` and `Client Secret` are automatically generated; you have to provide the rest of the information:
 
  * `User`: the owner of the Application (e.g. a developer, or the currently logged in user.)
 

docs/tutorial/tutorial_04.rst

@@ -36,7 +36,7 @@ obtained in :doc:`part 1 <tutorial_01>`. If your application type is `Confidenti
     token=XXXX&client_id=XXXX&client_secret=XXXX
 
 
-The server will respond wih a ``200`` status code on successful revocation. You can use ``curl`` to make a revoke request on your server. If you have access to a local installation of your authorization server, you can test revoking a token with a request like that shown below, for a `Confidential` client.
+The server will respond with a ``200`` status code on successful revocation. You can use ``curl`` to make a revoke request on your server. If you have access to a local installation of your authorization server, you can test revoking a token with a request like that shown below, for a `Confidential` client.
 
 ::
 

oauth2_provider/contrib/rest_framework/permissions.py

@@ -107,7 +107,7 @@ class IsAuthenticatedOrTokenHasScope(BasePermission):
     This only returns True if the user is authenticated, but not using a token
     or using a token, and the token has the correct scope.
 
-    This is usefull when combined with the DjangoModelPermissions to allow people browse
+    This is useful when combined with the DjangoModelPermissions to allow people browse
     the browsable api's if they log in using the a non token bassed middleware,
     and let them access the api's using a rest client with a token
     """

oauth2_provider/oauth2_validators.py

@@ -104,10 +104,10 @@ def _extract_basic_auth(self, request):
         if not auth:
             return None
 
-        splitted = auth.split(" ", 1)
-        if len(splitted) != 2:
+        split = auth.split(" ", 1)
+        if len(split) != 2:
             return None
-        auth_type, auth_string = splitted
+        auth_type, auth_string = split
 
         if auth_type != "Basic":
             return None
@@ -927,7 +927,7 @@ def _get_client_by_audience(self, audience):
         return Application.objects.filter(client_id__in=audience).first()
 
     def validate_user_match(self, id_token_hint, scopes, claims, request):
-        # TODO: Fix to validate when necessary acording
+        # TODO: Fix to validate when necessary according
         # https://github.com/idan/oauthlib/blob/master/oauthlib/oauth2/rfc6749/request_validator.py#L556
         # http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest id_token_hint section
         return True

oauth2_provider/views/base.py

@@ -77,10 +77,10 @@ class AuthorizationView(BaseAuthorizationView, FormView):
 
     * then receive a ``POST`` request possibly after user authorized the access
 
-    Some informations contained in the ``GET`` request and needed to create a Grant token during
+    Some information contained in the ``GET`` request and needed to create a Grant token during
     the ``POST`` request would be lost between the two steps above, so they are temporarily stored in
     hidden fields on the form.
-    A possible alternative could be keeping such informations in the session.
+    A possible alternative could be keeping such information in the session.
 
     The endpoint is used in the following flows:
     * Authorization code

pyproject.toml

@@ -8,3 +8,10 @@ exclude = '''
     |   .tox
 )
 '''
+
+# Ref: https://github.com/codespell-project/codespell#using-a-config-file
+[tool.codespell]
+skip = '.git,package-lock.json,locale'
+check-hidden = true
+ignore-regex = '.*pragma: codespell-ignore.*'
+# ignore-words-list = ''

tests/app/idp/idp/oauth.py

@@ -5,7 +5,7 @@
 from oauth2_provider.oauth2_validators import OAuth2Validator
 
 
-# get_response is required for middlware, it doesn't need to do anything
+# get_response is required for middleware, it doesn't need to do anything
 # the way we're using it, so we just use a lambda that returns None
 def get_response():
     None

tests/mig_settings.py

@@ -21,7 +21,7 @@
 # See https://docs.djangoproject.com/en/4.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-9$j0^ot%41l5r(nj9hg02up-n+$59kld!0%l6pvqbd()u%z2as"
+SECRET_KEY = "django-insecure-9$j0^ot%41l5r(nj9hg02up-n+$59kld!0%l6pvqbd()u%z2as"  # pragma: codespell-ignore
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True

tests/test_implicit.py

@@ -361,7 +361,7 @@ def test_id_token_skip_authorization_completely_missing_nonce(self):
         response = self.client.get(reverse("oauth2_provider:authorize"), data=query_data)
         self.assertEqual(response.status_code, 302)
         self.assertIn("error=invalid_request", response["Location"])
-        self.assertIn("error_description=Request+is+missing+mandatory+nonce+paramete", response["Location"])
+        self.assertIn("error_description=Request+is+missing+mandatory+nonce+parameter", response["Location"])
 
     def test_id_token_post_auth_deny(self):
         """