From 45b508afa2f7b6272df54d324b95bc3f7528cdbb Mon Sep 17 00:00:00 2001 From: mjsalinger Date: Wed, 5 Sep 2018 07:56:40 -0400 Subject: [PATCH 1/2] Updated changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c616fd136..a9e7df8ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,8 @@ * BREAKING: Remove support for node v4 * new: Added revoke-handler to revoke access token * new: Added implicit grant flow -* new: Switch from jshint to eslint +* new: Switch from jshint to eslin +* fix: authorization_code grant should not be required in implicit flowt ### 3.1.0 * new: Added package-lock.json From 90a4f8dc0aca9cded8379bb6f45d36fedced3cfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Cruz?= Date: Thu, 18 Oct 2018 15:37:25 +0100 Subject: [PATCH 2/2] Allow "allowed" parameter to be fetched from body On most "authorize" flows the authorization step is a form post to request permissions from a user, so this parameter should be fetched from the body. In fact, IMHO, it should not be fetched from the query. --- lib/handlers/authorize-handler.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index 3c14d2290..8ddbeac78 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -69,7 +69,7 @@ AuthorizeHandler.prototype.handle = function(request, response) { throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response'); } - if ('false' === request.query.allowed) { + if ('false' === request.query.allowed || 'false' === request.body.allowed) { return Promise.reject(new AccessDeniedError('Access denied: user denied access to application')); }