From 70d5abe4add23c6cda376ed6b571312b0e68e135 Mon Sep 17 00:00:00 2001 From: scagood Date: Sat, 21 Aug 2021 03:33:28 +0100 Subject: [PATCH] Only require 'redirect_uri' in token/authorization_code when one was provided in authorize/code --- lib/handlers/authorize-handler.js | 9 +++-- .../handlers/authorize-handler_test.js | 39 +++++++++++++++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index 845e25b55..994944f21 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -91,7 +91,7 @@ AuthorizeHandler.prototype.handle = function(request, response) { return Promise.all(fns) .bind(this) .spread(function(expiresAt, client, user) { - var uri = this.getRedirectUri(request, client); + var { uri, requestUri } = this.getRedirectUri(request, client); var scope; var state; var ResponseType; @@ -111,7 +111,7 @@ AuthorizeHandler.prototype.handle = function(request, response) { state = this.getState(request); ResponseType = this.getResponseType(request); - return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user); + return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, requestUri, user); }) .then(function(code) { var responseType = new ResponseType(code.authorizationCode); @@ -273,7 +273,10 @@ AuthorizeHandler.prototype.getUser = function(request, response) { */ AuthorizeHandler.prototype.getRedirectUri = function(request, client) { - return request.body.redirect_uri || request.query.redirect_uri || client.redirectUris[0]; + var requestUri = request.body.redirect_uri || request.query.redirect_uri; + var uri = requestUri || client.redirectUris[0]; + + return { uri, requestUri }; }; /** diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js index f895f82e3..798b8ec82 100644 --- a/test/integration/handlers/authorize-handler_test.js +++ b/test/integration/handlers/authorize-handler_test.js @@ -532,6 +532,45 @@ describe('AuthorizeHandler integration', function() { }); }); + it('should not include redirectUri in model.saveAuthorizationCode() when its not in request', function() { + var model = { + getAccessToken: function() { + return { + user: {}, + accessTokenExpiresAt: new Date(new Date().getTime() + 10000) + }; + }, + getClient: function() { + return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; + }, + saveAuthorizationCode: function(code) { + code.should.have.property('redirectUri').which.is.undefined(); + return { authorizationCode: 12345, client: this.getClient() }; + } + }; + var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + var request = new Request({ + body: { + client_id: 12345, + response_type: 'code' + }, + headers: { + 'Authorization': 'Bearer foo' + }, + method: {}, + query: { + state: 'foobar' + } + }); + var response = new Response({ body: {}, headers: {} }); + + return handler.handle(request, response) + .then(should.fail) + .catch(function() { + response.get('location').should.equal('http://example.com/cb?code=12345&state=foobar'); + }); + }); + it('should return the `code` if successful', function() { var client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; var model = {