Skip to content

Commit

Permalink
Merge branch 'master' into web-origin
Browse files Browse the repository at this point in the history
  • Loading branch information
jaredhanson committed Aug 11, 2017
2 parents 095e0af + 7259681 commit d872ea0
Show file tree
Hide file tree
Showing 8 changed files with 101 additions and 2 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ app.get('/dialog/authorize',
Clients.findOne(clientID, function(err, client) {
if (err) { return done(err); }
if (!client) { return done(null, false); }
if (!client.redirectUri != redirectURI) { return done(null, false); }
if (client.redirectUri != redirectURI) { return done(null, false); }
return done(null, client, client.redirectURI);
});
}),
Expand Down
4 changes: 4 additions & 0 deletions lib/exchange/clientCredentials.js
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@ module.exports = function(options, issue) {
, scope = req.body.scope;

if (scope) {
if (typeof scope !== 'string') {
return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_request'));
}

for (var i = 0, len = separators.length; i < len; i++) {
var separated = scope.split(separators[i]);
// only separate on the first matching separator. this allows for a sort
Expand Down
4 changes: 4 additions & 0 deletions lib/exchange/password.js
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,10 @@ module.exports = function(options, issue) {
if (!passwd) { return next(new TokenError('Missing required parameter: password', 'invalid_request')); }

if (scope) {
if (typeof scope !== 'string') {
return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_request'));
}

for (var i = 0, len = separators.length; i < len; i++) {
var separated = scope.split(separators[i]);
// only separate on the first matching separator. this allows for a sort
Expand Down
4 changes: 4 additions & 0 deletions lib/exchange/refreshToken.js
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ module.exports = function(options, issue) {
if (!refreshToken) { return next(new TokenError('Missing required parameter: refresh_token', 'invalid_request')); }

if (scope) {
if (typeof scope !== 'string') {
return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_request'));
}

for (var i = 0, len = separators.length; i < len; i++) {
var separated = scope.split(separators[i]);
// only separate on the first matching separator. this allows for a sort
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "oauth2orize",
"version": "1.8.0",
"version": "1.8.1",
"description": "OAuth 2.0 authorization server toolkit for Node.js.",
"keywords": [
"oauth",
Expand Down
29 changes: 29 additions & 0 deletions test/exchange/clientCredentials.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,35 @@ describe('exchange.clientCredentials', function() {
expect(err.message).to.equal('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?');
});
});

describe('handling a request where scope format is not string', function () {
var response, err;

before(function (done) {
function issue(client, done) {
return done(null, '.ignore')
}

chai.connect.use(clientCredentials(issue))
.req(function (req) {
req.user = { id: 'c123', name: 'Example' };
req.body = { scope: ['read', 'write'] };
})
.next(function (e) {
err = e;
done();
})
.dispatch();
});

it('should error', function () {
expect(err).to.be.an.instanceOf(Error);
expect(err.name).to.equal('TokenError');
expect(err.message).to.equal('Invalid parameter: scope must be a string');
expect(err.code).to.equal('invalid_request');
expect(err.status).to.equal(400);
});
});

describe('with scope separator option', function() {
function issue(client, scope, done) {
Expand Down
29 changes: 29 additions & 0 deletions test/exchange/password.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,35 @@ describe('exchange.password', function() {
});
});

describe('handling a request where scope format is not string', function () {
var response, err;

before(function (done) {
function issue(client, username, passwd, done) {
return done(new Error('something is wrong'));
}

chai.connect.use(password(issue))
.req(function (req) {
req.user = { id: 'c123', name: 'Example' };
req.body = { username: 'bob', password: 'shh', scope: ['read', 'write'] };
})
.next(function (e) {
err = e;
done();
})
.dispatch();
});

it('should error', function () {
expect(err).to.be.an.instanceOf(Error);
expect(err.name).to.equal('TokenError');
expect(err.message).to.equal('Invalid parameter: scope must be a string');
expect(err.code).to.equal('invalid_request');
expect(err.status).to.equal(400);
});
});

describe('with scope separator option', function() {
describe('issuing an access token based on array of scopes', function() {
function issue(client, username, passwd, scope, done) {
Expand Down
29 changes: 29 additions & 0 deletions test/exchange/refreshToken.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -467,6 +467,35 @@ describe('exchange.refreshToken', function() {
expect(err.message).to.equal('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?');
});
});

describe('handling a request where scope format is not string', function () {
var response, err;

before(function (done) {
function issue(client, refreshToken, done) {
return done(null, '.ignore')
}

chai.connect.use(refreshToken(issue))
.req(function (req) {
req.user = { id: 'c123', name: 'Example' };
req.body = { refresh_token: 'refreshing', scope: ['read', 'write'] };
})
.next(function (e) {
err = e;
done();
})
.dispatch();
});

it('should error', function () {
expect(err).to.be.an.instanceOf(Error);
expect(err.name).to.equal('TokenError');
expect(err.message).to.equal('Invalid parameter: scope must be a string');
expect(err.code).to.equal('invalid_request');
expect(err.status).to.equal(400);
});
});

describe('with scope separator option', function() {
describe('issuing an access token based on array of scopes', function() {
Expand Down

0 comments on commit d872ea0

Please sign in to comment.