fix: authorization_code grant should not be required in implicit flow

This is a follow-up to #464 (implicit grant flow). It fixes a bug where the
"authorization_code" grant was required in the client's "grant" array. However,
for the implicit grant flow, only "implicit" grant should be required.

Closes #520

Author: adieuadieu

lib/handlers/authorize-handler.js

@@ -147,6 +147,7 @@ AuthorizeHandler.prototype.getClient = function(request) {
   if (redirectUri && !is.uri(redirectUri)) {
     throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
   }
+
   return promisify(this.model.getClient, 2).call(this.model, clientId, null)
     .then(function(client) {
       if (!client) {
@@ -157,7 +158,10 @@ AuthorizeHandler.prototype.getClient = function(request) {
         throw new InvalidClientError('Invalid client: missing client `grants`');
       }
 
-      if (!_.includes(client.grants, 'authorization_code')) {
+      var responseType = request.body.response_type || request.query.response_type;
+      var requestedGrantType = responseType === 'token' ? 'implicit' : 'authorization_code';
+
+      if (!_.includes(client.grants, requestedGrantType)) {
         throw new UnauthorizedClientError('Unauthorized client: `grant_type` is invalid');
       }
 
@@ -168,6 +172,7 @@ AuthorizeHandler.prototype.getClient = function(request) {
       if (redirectUri && !_.includes(client.redirectUris, redirectUri)) {
         throw new InvalidClientError('Invalid client: `redirect_uri` does not match client value');
       }
+
       return client;
     });
 };

package.json

@@ -36,6 +36,10 @@
     {
       "name": "Jonathon Hill",
       "email": "jhill9693@gmail.com"
+    },
+    {
+      "name": "Marco Lüthy",
+      "email": "marco.luethy@gmail.com"
     }
   ],
   "main": "index.js",

test/integration/handlers/authorize-handler_test.js

@@ -249,6 +249,46 @@ describe('AuthorizeHandler integration', function() {
         .catch(should.fail);
     });
 
+
+    it('given an implicit grant flow, should redirect to a successful response with `token` and `state` if successful', function() {
+      var client = { grants: ['implicit'], redirectUris: ['http://example.com/cb'] };
+      var token = { accessToken: 'foobar-token' }
+      var model = {
+        getAccessToken: function() {
+          return {
+            client: client,
+            user: {},
+            accessTokenExpiresAt: new Date(new Date().getTime() + 10000)
+          };
+        },
+        getClient: function() {
+          return client;
+        },
+        saveToken: function() { return token; }
+      };
+      var handler = new AuthorizeHandler({ accessTokenLifetime: 120, model: model });
+      var request = new Request({
+        body: {
+        },
+        headers: {
+          'Authorization': 'Bearer foo'
+        },
+        method: {},
+        query: {
+          client_id: 12345,
+          response_type: 'token',
+          state: 'foobar'
+        }
+      });
+      var response = new Response({ body: {}, headers: {} });
+
+      return handler.handle(request, response)
+        .then(function() {
+          response.get('location').should.equal('http://example.com/cb#access_token=foobar-token&state=foobar');
+        })
+        .catch(should.fail);
+    });
+
     it('should redirect to an error response if `scope` is invalid', function() {
       var model = {
         getAccessToken: function() {