tests(integration): grant types integration tests model integration covered

Author: jankapunkt

lib/grant-types/abstract-grant-type.js

@@ -36,8 +36,9 @@ function AbstractGrantType(options) {
 
 AbstractGrantType.prototype.generateAccessToken = async function(client, user, scope) {
   if (this.model.generateAccessToken) {
-    const accessToken = await this.model.generateAccessToken(client, user, scope);
-    return accessToken || tokenUtil.generateRandomToken();
+    // We should not fall back to a random accessToken, if the model did not
+    // return a token, in order to prevent unintended token-issuing.
+    return this.model.generateAccessToken(client, user, scope);
   }
 
   return tokenUtil.generateRandomToken();
@@ -49,8 +50,9 @@ AbstractGrantType.prototype.generateAccessToken = async function(client, user, s
 
 AbstractGrantType.prototype.generateRefreshToken = async function(client, user, scope) {
   if (this.model.generateRefreshToken) {
-    const refreshToken = await this.model.generateRefreshToken(client, user, scope);
-    return refreshToken || tokenUtil.generateRandomToken();
+    // We should not fall back to a random refreshToken, if the model did not
+    // return a token, in order to prevent unintended token-issuing.
+    return this.model.generateRefreshToken(client, user, scope);
   }
 
   return tokenUtil.generateRandomToken();

lib/grant-types/authorization-code-grant-type.js

@@ -195,11 +195,11 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 
     const token = {
-      accessToken: accessToken,
-      authorizationCode: authorizationCode,
-      accessTokenExpiresAt: accessTokenExpiresAt,
-      refreshToken: refreshToken,
-      refreshTokenExpiresAt: refreshTokenExpiresAt,
+      accessToken,
+      authorizationCode,
+      accessTokenExpiresAt,
+      refreshToken,
+      refreshTokenExpiresAt,
       scope: validatedScope,
     };
 

lib/grant-types/client-credentials-grant-type.js

@@ -73,8 +73,8 @@ class ClientCredentialsGrantType extends AbstractGrantType {
     const accessToken = await this.generateAccessToken(client, user, scope);
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, scope);
     const token = {
-      accessToken: accessToken,
-      accessTokenExpiresAt: accessTokenExpiresAt,
+      accessToken,
+      accessTokenExpiresAt,
       scope: validatedScope,
     };
 

lib/grant-types/password-grant-type.js

@@ -94,10 +94,10 @@ class PasswordGrantType extends AbstractGrantType {
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 
     const token = {
-      accessToken: accessToken,
-      accessTokenExpiresAt: accessTokenExpiresAt,
-      refreshToken: refreshToken,
-      refreshTokenExpiresAt: refreshTokenExpiresAt,
+      accessToken,
+      accessTokenExpiresAt,
+      refreshToken,
+      refreshTokenExpiresAt,
       scope: validatedScope,
     };
 

test/integration/grant-types/abstract-grant-type_test.js

@@ -7,6 +7,7 @@
 const AbstractGrantType = require('../../../lib/grant-types/abstract-grant-type');
 const InvalidArgumentError = require('../../../lib/errors/invalid-argument-error');
 const Request = require('../../../lib/request');
+const InvalidScopeError = require('../../../lib/errors/invalid-scope-error');
 const should = require('chai').should();
 
 /**
@@ -44,7 +45,7 @@ describe('AbstractGrantType integration', function() {
     });
 
     it('should set the `model`', function() {
-      const model = {};
+      const model = { async generateAccessToken () {} };
       const grantType = new AbstractGrantType({ accessTokenLifetime: 123, model: model });
 
       grantType.model.should.equal(model);
@@ -58,70 +59,62 @@ describe('AbstractGrantType integration', function() {
   });
 
   describe('generateAccessToken()', function() {
-    it('should return an access token', function() {
+    it('should return an access token', async function() {
       const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 });
-
-      return handler.generateAccessToken()
-        .then(function(data) {
-          data.should.be.a.sha256();
-        })
-        .catch(should.fail);
+      const accessToken = await handler.generateAccessToken();
+      accessToken.should.be.a.sha256();
     });
 
-    it('should support promises', function() {
+    it('should support promises', async function() {
       const model = {
         generateAccessToken: async function() {
-          return {};
+          return 'long-hash-foo-bar';
         }
       };
       const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 });
-
-      handler.generateAccessToken().should.be.an.instanceOf(Promise);
+      const accessToken = await handler.generateAccessToken();
+      accessToken.should.equal('long-hash-foo-bar');
     });
 
-    it('should support non-promises', function() {
+    it('should support non-promises', async function() {
       const model = {
         generateAccessToken: function() {
-          return {};
+          return 'long-hash-foo-bar';
         }
       };
       const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 });
-
-      handler.generateAccessToken().should.be.an.instanceOf(Promise);
+      const accessToken = await handler.generateAccessToken();
+      accessToken.should.equal('long-hash-foo-bar');
     });
   });
 
   describe('generateRefreshToken()', function() {
-    it('should return a refresh token', function() {
+    it('should return a refresh token', async function() {
       const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 });
-
-      return handler.generateRefreshToken()
-        .then(function(data) {
-          data.should.be.a.sha256();
-        })
-        .catch(should.fail);
+      const refreshToken = await handler.generateRefreshToken();
+      refreshToken.should.be.a.sha256();
     });
 
-    it('should support promises', function() {
+    it('should support promises', async function() {
       const model = {
         generateRefreshToken: async function() {
-          return {};
+          return 'long-hash-foo-bar';
         }
       };
       const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 });
-
-      handler.generateRefreshToken().should.be.an.instanceOf(Promise);
+      const refreshToken = await handler.generateRefreshToken();
+      refreshToken.should.equal('long-hash-foo-bar');
     });
 
-    it('should support non-promises', function() {
+    it('should support non-promises', async function() {
       const model = {
         generateRefreshToken: function() {
-          return {};
+          return 'long-hash-foo-bar';
         }
       };
       const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 });
-
-      handler.generateRefreshToken().should.be.an.instanceOf(Promise);
+      const refreshToken = await handler.generateRefreshToken();
+      refreshToken.should.equal('long-hash-foo-bar');
     });
   });
 
@@ -170,4 +163,64 @@ describe('AbstractGrantType integration', function() {
       handler.getScope(request).should.equal('foo');
     });
   });
+
+  describe('validateScope()', function () {
+    it('accepts the scope, if the model does not implement it', async function () {
+      const scope = 'some,scope,this,that';
+      const user = { id: 123 };
+      const client = { id: 456 };
+      const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 });
+      const validated = await handler.validateScope(user, client, scope);
+      validated.should.equal(scope);
+    });
+
+    it('accepts the scope, if the model accepts it', async function () {
+      const scope = 'some,scope,this,that';
+      const user = { id: 123 };
+      const client = { id: 456 };
+
+      const model = {
+        async validateScope (_user, _client, _scope) {
+          // make sure the model received the correct args
+          _user.should.deep.equal(user);
+          _client.should.deep.equal(_client);
+          _scope.should.equal(scope);
+
+          return scope;
+        }
+      };
+      const handler = new AbstractGrantType({ accessTokenLifetime: 123, model, refreshTokenLifetime: 456 });
+      const validated = await handler.validateScope(user, client, scope);
+      validated.should.equal(scope);
+    });
+
+    it('throws if the model rejects the scope', async function () {
+      const scope = 'some,scope,this,that';
+      const user = { id: 123 };
+      const client = { id: 456 };
+      const returnTypes = [undefined, null, false, 0, ''];
+
+      for (const type of returnTypes) {
+        const model = {
+          async validateScope (_user, _client, _scope) {
+            // make sure the model received the correct args
+            _user.should.deep.equal(user);
+            _client.should.deep.equal(_client);
+            _scope.should.equal(scope);
+
+            return type;
+          }
+        };
+        const handler = new AbstractGrantType({ accessTokenLifetime: 123, model, refreshTokenLifetime: 456 });
+
+        try {
+          await handler.validateScope(user, client, scope);
+          should.fail();
+        } catch (e) {
+          e.should.be.an.instanceOf(InvalidScopeError);
+          e.message.should.equal('Invalid scope: Requested scope is invalid');
+        }
+      }
+    });
+  });
 });