PKCE - implementation

Author: visvk

lib/grant-types/authorization-code-grant-type.js

@@ -9,10 +9,12 @@ var InvalidArgumentError = require('../errors/invalid-argument-error');
 var InvalidGrantError = require('../errors/invalid-grant-error');
 var InvalidRequestError = require('../errors/invalid-request-error');
 var Promise = require('bluebird');
+var crypto = require('crypto');
 var promisify = require('promisify-any').use(Promise);
 var ServerError = require('../errors/server-error');
 var is = require('../validator/is');
 var util = require('util');
+var stringUtil = require('../utils/string-util');
 
 /**
  * Constructor.
@@ -118,6 +120,24 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
         throw new InvalidGrantError('Invalid grant: `redirect_uri` is not a valid URI');
       }
 
+      if (code.codeChallenge) {
+        if (!code.codeChallengeMethod) {
+          throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallengeMethod` property');
+        }
+
+        if (code.codeChallengeMethod === 'plain' && code.codeChallenge !== request.body.code_verifier) {
+          throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
+        }
+
+        if (code.codeChallengeMethod === 'S256') {
+          var hash = stringUtil.base64URLEncode(crypto.createHash('sha256').update(request.body.code_verifier).digest());
+
+          if (code.codeChallenge !== hash) {
+            throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
+          }
+        }
+      }
+
       return code;
     });
 };

lib/handlers/authorize-handler.js

@@ -95,18 +95,25 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       var scope;
       var state;
       var ResponseType;
+      var codeChallenge;
+      var codeChallengeMethod;
 
       return Promise.bind(this)
-	.then(function() {
+        .then(function() {
           scope = this.getScope(request);
+          codeChallenge = this.getCodeChallenge(request);
 
-	  return this.generateAuthorizationCode(client, user, scope);
-	})
+          if (codeChallenge) {
+            codeChallengeMethod = this.getCodeChallengeMethod(request) || 'plain';
+          }
+
+          return this.generateAuthorizationCode(client, user, scope, codeChallenge, codeChallengeMethod);
+        })
         .then(function(authorizationCode) {
           state = this.getState(request);
           ResponseType = this.getResponseType(request);
 
-          return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
+          return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user, codeChallenge, codeChallengeMethod);
         })
         .then(function(code) {
           var responseType = new ResponseType(code.authorizationCode);
@@ -133,13 +140,29 @@ AuthorizeHandler.prototype.handle = function(request, response) {
  * Generate authorization code.
  */
 
-AuthorizeHandler.prototype.generateAuthorizationCode = function(client, user, scope) {
+AuthorizeHandler.prototype.generateAuthorizationCode = function(client, user, scope, codeChallenge, codeChallengeMethod) {
   if (this.model.generateAuthorizationCode) {
-    return promisify(this.model.generateAuthorizationCode).call(this.model, client, user, scope);
+    return promisify(this.model.generateAuthorizationCode, 5).call(this.model, client, user, scope, codeChallenge, codeChallengeMethod);
   }
   return tokenUtil.generateRandomToken();
 };
 
+AuthorizeHandler.prototype.getCodeChallenge = function(request) {
+  var codeChallenge = request.body.code_challenge || request.query.code_challenge;
+
+  return codeChallenge;
+};
+
+AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) {
+  var codeChallengeMethod = request.body.code_challenge_method || request.query.code_challenge_method;
+
+  if (codeChallengeMethod && !_.includes(['S256', 'plain'], codeChallengeMethod)) {
+    throw new InvalidRequestError('Invalid parameter: `code_challenge_method`');
+  }
+
+  return codeChallengeMethod;
+};
+
 /**
  * Get authorization code lifetime.
  */
@@ -257,12 +280,14 @@ AuthorizeHandler.prototype.getRedirectUri = function(request, client) {
  * Save authorization code.
  */
 
-AuthorizeHandler.prototype.saveAuthorizationCode = function(authorizationCode, expiresAt, scope, client, redirectUri, user) {
+AuthorizeHandler.prototype.saveAuthorizationCode = function(authorizationCode, expiresAt, scope, client, redirectUri, user, codeChallenge, codeChallengeMethod) {
   var code = {
     authorizationCode: authorizationCode,
     expiresAt: expiresAt,
     redirectUri: redirectUri,
-    scope: scope
+    scope: scope,
+    codeChallenge: codeChallenge,
+    codeChallengeMethod: codeChallengeMethod
   };
   return promisify(this.model.saveAuthorizationCode, 3).call(this.model, code, client, user);
 };

lib/utils/string-util.js

@@ -0,0 +1,14 @@
+'use strict';
+
+/**
+ * Export `StringUtil`.
+ */
+
+module.exports = {
+  base64URLEncode: function(str) {
+    return str.toString('base64')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=/g, '');
+  }
+};

test/integration/grant-types/authorization-code-grant-type_test.js

@@ -9,8 +9,10 @@ var InvalidArgumentError = require('../../../lib/errors/invalid-argument-error')
 var InvalidGrantError = require('../../../lib/errors/invalid-grant-error');
 var InvalidRequestError = require('../../../lib/errors/invalid-request-error');
 var Promise = require('bluebird');
+var crypto = require('crypto');
 var Request = require('../../../lib/request');
 var ServerError = require('../../../lib/errors/server-error');
+var stringUtil = require('../../../lib/utils/string-util');
 var should = require('should');
 
 /**
@@ -361,6 +363,110 @@ describe('AuthorizationCodeGrantType integration', function() {
         });
     });
 
+    it('should throw an error if the `code_verifier` is invalid', function() {
+      var codeVerifier = stringUtil.base64URLEncode(crypto.randomBytes(32));
+      var authorizationCode = {
+        authorizationCode: 12345,
+        client: { id: 'foobar' },
+        expiresAt: new Date(new Date() * 2),
+        user: {},
+        codeChallengeMethod: 'S256',
+        codeChallenge: stringUtil.base64URLEncode(crypto.createHash('sha256').update(codeVerifier).digest())
+      };
+      var client = { id: 'foobar' };
+      var model = {
+        getAuthorizationCode: function() { return authorizationCode; },
+        revokeAuthorizationCode: function() {},
+        saveToken: function() {}
+      };
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
+      var request = new Request({ body: { code: 12345, code_verifier: 'foo' }, headers: {}, method: {}, query: {} });
+
+      return grantType.getAuthorizationCode(request, client)
+        .then(should.fail)
+        .catch(function(e) {
+          e.should.be.an.instanceOf(InvalidGrantError);
+          e.message.should.equal('Invalid grant: `code_verifier` is invalid');
+        });
+    });
+
+    it('should throw an error if the `code_verifier` is invalid', function() {
+      var authorizationCode = {
+        authorizationCode: 12345,
+        client: { id: 'foobar' },
+        expiresAt: new Date(new Date() * 2),
+        user: {},
+        codeChallengeMethod: 'plain',
+        codeChallenge: 'baz'
+      };
+      var client = { id: 'foobar' };
+      var model = {
+        getAuthorizationCode: function() { return authorizationCode; },
+        revokeAuthorizationCode: function() {},
+        saveToken: function() {}
+      };
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
+      var request = new Request({ body: { code: 12345, code_verifier: 'foo' }, headers: {}, method: {}, query: {} });
+
+      return grantType.getAuthorizationCode(request, client)
+        .then(should.fail)
+        .catch(function(e) {
+          e.should.be.an.instanceOf(InvalidGrantError);
+          e.message.should.equal('Invalid grant: `code_verifier` is invalid');
+        });
+    });
+
+    it('should return an auth code when `code_verifier` is valid', function() {
+      var codeVerifier = stringUtil.base64URLEncode(crypto.randomBytes(32));
+      var authorizationCode = {
+        authorizationCode: 12345,
+        client: { id: 'foobar' },
+        expiresAt: new Date(new Date() * 2),
+        user: {},
+        codeChallengeMethod: 'S256',
+        codeChallenge: stringUtil.base64URLEncode(crypto.createHash('sha256').update(codeVerifier).digest())
+      };
+      var client = { id: 'foobar' };
+      var model = {
+        getAuthorizationCode: function() { return authorizationCode; },
+        revokeAuthorizationCode: function() {},
+        saveToken: function() {}
+      };
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
+      var request = new Request({ body: { code: 12345, code_verifier: codeVerifier }, headers: {}, method: {}, query: {} });
+
+      return grantType.getAuthorizationCode(request, client)
+        .then(function(data) {
+          data.should.equal(authorizationCode);
+        })
+        .catch(should.fail);
+    });
+
+    it('should return an auth code when `code_verifier` is valid', function() {
+      var authorizationCode = {
+        authorizationCode: 12345,
+        client: { id: 'foobar' },
+        expiresAt: new Date(new Date() * 2),
+        user: {},
+        codeChallengeMethod: 'plain',
+        codeChallenge: 'baz'
+      };
+      var client = { id: 'foobar' };
+      var model = {
+        getAuthorizationCode: function() { return authorizationCode; },
+        revokeAuthorizationCode: function() {},
+        saveToken: function() {}
+      };
+      var grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model });
+      var request = new Request({ body: { code: 12345, code_verifier: 'baz' }, headers: {}, method: {}, query: {} });
+
+      return grantType.getAuthorizationCode(request, client)
+        .then(function(data) {
+          data.should.equal(authorizationCode);
+        })
+        .catch(should.fail);
+    });
+
     it('should return an auth code', function() {
       var authorizationCode = { authorizationCode: 12345, client: { id: 'foobar' }, expiresAt: new Date(new Date() * 2), user: {} };
       var client = { id: 'foobar' };

test/integration/handlers/authorize-handler_test.js

@@ -824,6 +824,84 @@ describe('AuthorizeHandler integration', function() {
     });
   });
 
+  describe('getCodeChallenge()', function() {
+    describe('with `code_challenge` in the request body', function() {
+      it('should return the code_challenge', function() {
+        var model = {
+          getAccessToken: function() {},
+          getClient: function() {},
+          saveAuthorizationCode: function() {}
+        };
+        var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+        var request = new Request({ body: { code_challenge: 'foo' }, headers: {}, method: {}, query: {} });
+
+        handler.getCodeChallenge(request).should.equal('foo');
+      });
+    });
+
+    describe('with `code_challenge` in the request query', function() {
+      it('should return the code_challenge', function() {
+        var model = {
+          getAccessToken: function() {},
+          getClient: function() {},
+          saveAuthorizationCode: function() {}
+        };
+        var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+        var request = new Request({ body: {}, headers: {}, method: {}, query: { code_challenge: 'foo' } });
+
+        handler.getCodeChallenge(request).should.equal('foo');
+      });
+    });
+  });
+
+  describe('getCodeChallengeMethod()', function() {
+    it('should throw an error if `scope` is invalid', function() {
+      var model = {
+        getAccessToken: function() {},
+        getClient: function() {},
+        saveAuthorizationCode: function() {}
+      };
+      var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+      var request = new Request({ body: { code_challenge_method: 'foo' }, headers: {}, method: {}, query: {} });
+
+      try {
+        handler.getCodeChallengeMethod(request);
+
+        should.fail();
+      } catch (e) {
+        e.should.be.an.instanceOf(InvalidRequestError);
+        e.message.should.equal('Invalid parameter: `code_challenge_method`');
+      }
+    });
+    describe('with `code_challenge_method` in the request body', function() {
+      it('should return the code_challenge_method', function() {
+        var model = {
+          getAccessToken: function() {},
+          getClient: function() {},
+          saveAuthorizationCode: function() {}
+        };
+        var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+        var request = new Request({ body: { code_challenge_method: 'plain' }, headers: {}, method: {}, query: {} });
+
+        handler.getCodeChallengeMethod(request).should.equal('plain');
+      });
+    });
+
+    describe('with `code_challenge_method` in the request query', function() {
+      it('should return the code_challenge_method', function() {
+        var model = {
+          getAccessToken: function() {},
+          getClient: function() {},
+          saveAuthorizationCode: function() {}
+        };
+        var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+        var request = new Request({ body: {}, headers: {}, method: {}, query: { code_challenge_method: 'S256' } });
+
+        handler.getCodeChallengeMethod(request).should.equal('S256');
+      });
+    });
+  });
+
   describe('getState()', function() {
     it('should throw an error if `allowEmptyState` is false and `state` is missing', function() {
       var model = {

test/unit/handlers/authorize-handler_test.js

@@ -87,11 +87,11 @@ describe('AuthorizeHandler', function() {
       };
       var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
 
-      return handler.saveAuthorizationCode('foo', 'bar', 'qux', 'biz', 'baz', 'boz')
+      return handler.saveAuthorizationCode('foo', 'bar', 'qux', 'biz', 'baz', 'boz', 'buz', 'bez')
         .then(function() {
           model.saveAuthorizationCode.callCount.should.equal(1);
           model.saveAuthorizationCode.firstCall.args.should.have.length(3);
-          model.saveAuthorizationCode.firstCall.args[0].should.eql({ authorizationCode: 'foo', expiresAt: 'bar', redirectUri: 'baz', scope: 'qux' });
+          model.saveAuthorizationCode.firstCall.args[0].should.eql({ authorizationCode: 'foo', expiresAt: 'bar', redirectUri: 'baz', scope: 'qux', codeChallenge: 'buz', codeChallengeMethod: 'bez' });
           model.saveAuthorizationCode.firstCall.args[1].should.equal('biz');
           model.saveAuthorizationCode.firstCall.args[2].should.equal('boz');
           model.saveAuthorizationCode.firstCall.thisValue.should.equal(model);