fix: validate requested scope on authorize request #451
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
What is the status on this? |
|
@steffansluis If you're addressing to me, I'm still waiting for someone to have a look. |
|
@razvanz Actually it was more like a broadcast message to the maintainers of this repo. @mjsalinger you seem to be the most recently active. Any insights into a timeline for this PR/in general for maintaining this repo? |
mjsalinger
suggested changes
Jan 24, 2018
| @@ -332,6 +332,50 @@ describe('AuthorizeHandler integration', function() { | |||
| }); | |||
| }); | |||
|
|
|||
| it('should redirect to an error response if `scope` is insufficient', function() { | |||
There was a problem hiding this comment.
Can you add a test for when validateScope isn't included in the model? Otherwise this PR looks good.
razvanz
force-pushed
the
fix/validate-scope-on-authorize
branch
from
78edd5c to
641599f
Compare
|
Added the test and rebased from |
mjsalinger
added a commit
to mjsalinger/node-oauth2-server
that referenced
this pull request
Aug 27, 2018
…horize fix: validate requested scope on authorize request
thomseddon
pushed a commit
that referenced
this pull request
Jun 11, 2020
fix: validate requested scope on authorize request
thomseddon
pushed a commit
that referenced
this pull request
Jun 11, 2020
fix: validate requested scope on authorize request
This was referenced Jun 26, 2020
Merged
thomseddon
pushed a commit
that referenced
this pull request
Jun 27, 2020
fix: validate requested scope on authorize request
thomseddon
pushed a commit
that referenced
this pull request
Jun 27, 2020
fix: validate requested scope on authorize request
thomseddon
pushed a commit
that referenced
this pull request
Jun 30, 2020
fix: validate requested scope on authorize request
sambacha
pushed a commit
to sambacha/node-oauth2-server
that referenced
this pull request
Sep 27, 2020
* Compute the correct redirect_uri in case of resource over denies access According to https://tools.ietf.org/html/rfc6749#section-4.1.2.1 once the redirect_uri & client_id is correct authorization server should inform the clinet, that user denied access. The change is to move validation of resource owner approval after the redirect_uri & client identifier validation so the correct redirect url is computed * Remove commented code * Note we're now also seeking reviewers * Update readme with link to v5-dev branch * Add renovate.json * Add link to examples repo. Closes oauthjs#571 * Update dependency bluebird to v3.7.2 * Update dependency jshint to v2.11.0 * Update dependency mocha to v3.5.3 * Update dependency sinon to v2.4.1 * Update dependency statuses to v1.5.0 * Update dependency basic-auth to v2 * Update node versions * Bump lodash from 4.17.4 to 4.17.15 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.15. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.4...4.17.15) Signed-off-by: dependabot[bot] <support@github.com> * Update dependency type-is to v1.6.18 * Update dependency should to v13 * add codecoverage and upgrade packages * Update dependency jshint to v2.11.1 * Drop support for node 4/6/8 and add tests for 14 * Update dependency sinon to v9 * Update dependency mocha to v7 * Release 3.0.2 🎉 * Release 3.0.2 🎉 * Revert "Drop support for node 4/6/8 and add tests for 14" This reverts commit b84778b. * Revert "Merge pull request oauthjs#596 from oauthjs/renovate/mocha-7.x" This reverts commit cb2bb88, reversing changes made to 6997303. * Revert "Merge pull request oauthjs#602 from oauthjs/renovate/sinon-9.x" This reverts commit 6997303, reversing changes made to b84778b. * Bump mocha and sinon to lastest versions supporting node v4 * Add testing for node v14 * Update readme with project status update * remove renovate in favour of dependabot * Add FUNDING.yml (oauthjs#630) * Updated .gitignore * Changed 'hasOwnProperty' call in Request * Changed 'hasOwnProperty' call in Response * set numArgs for promisify of generateAuthorizationCode * readme: Update Slack badge and link * fix: issue correct expiry dates for tokens oauthjs#444 related to a NodeJS (nodejs/node#7074) and furthermore V8 bug (https://bugs.chromium.org/p/v8/issues/detail?id=3637); replaced seconds calculation with milliseconds. * Merge pull request oauthjs#451 from razvanz/fix/validate-scope-on-authorize fix: validate requested scope on authorize request * Merge pull request oauthjs#491 from mattgrande/master docs: Ensure accessTokenExpiresAt is required * Merge pull request oauthjs#471 from smartrecruiters/fix-migration-documentaiton docs: Correct tokens time scale for 2.x to 3.x migration guide * Updated changelog * Tag 3.1.0-rc1 * 3.1.0 bump * Bump lodash from 4.17.15 to 4.17.19 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * v3.1.1 (oauthjs#636) * Bump jshint from 2.11.1 to 2.12.0 (oauthjs#640) Bumps [jshint](https://github.com/jshint/jshint) from 2.11.1 to 2.12.0. - [Release notes](https://github.com/jshint/jshint/releases) - [Changelog](https://github.com/jshint/jshint/blob/master/CHANGELOG.md) - [Commits](jshint/jshint@2.11.1...2.12.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Set WWW-Authenticate header for invalid requests This adds the WWW-Authenticate header for InvalidRequestError, InvalidTokenError, and InsufficientScopeError, as specified in RFC 6750, Section 3 Fixes oauthjs#553 * cherry pick * rm lock * fix: lint erros * fix grant types * custom types init * Update .travis.yml * git merge artifact Co-authored-by: Igor Czechowski <i.czechowski@smartrecruiters.com> Co-authored-by: Szymon Kiebzak <s.kiebzak@smartrecruiters.com> Co-authored-by: Thom Seddon <thom@seddonmedia.co.uk> Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Aras Abbasi <aras.abbasi@googlemail.com> Co-authored-by: mjsalinger <mjsalinger@gmail.com> Co-authored-by: Pritilender <sajn_ap@live.com> Co-authored-by: nkzawa <naoyuki.kanezawa@gmail.com> Co-authored-by: Max Truxa <dev@maxtruxa.com> Co-authored-by: Razvan <razvanz@users.noreply.github.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Jonas Hermsmeier <jonas.hermsmeier@klarna.com>
joe1chen
pushed a commit
to dogomedia/node-oauth2-server
that referenced
this pull request
Oct 8, 2020
This was referenced Mar 17, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Without validating the scope of a authorize request, a client could get access to unauthorized scopes.