Merge branch 'development' into fix-missing-body-allowed-check

Author: jankapunkt

CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Changelog
 
+## 4.1.1
+
+### Added
+- Added TypeScript types
+### Changed
+- Removed extra files when someone npm installs.
+- Upgrades all code from ES5 to ES6, where possible.
+
 ## 4.1.0
 ### Changed 
 * Bump dev dependencies to resolve vulnerabilities

docs/model/overview.rst

@@ -37,6 +37,7 @@ Model functions used by the authorization code grant:
 - :ref:`Model#saveAuthorizationCode`
 - :ref:`Model#revokeAuthorizationCode`
 - :ref:`Model#validateScope`
+- :ref:`Model#validateRedirectUri`
 
 --------
 

docs/model/spec.rst

@@ -214,7 +214,7 @@ An ``Object`` representing the access token and associated data.
 
   function getAccessToken(accessToken) {
     // imaginary DB queries
-    db.queryAccessToken({access_token: accessToken})
+    return db.queryAccessToken({access_token: accessToken})
       .then(function(token) {
         return Promise.all([
           token,
@@ -288,7 +288,7 @@ An ``Object`` representing the refresh token and associated data.
 
   function getRefreshToken(refreshToken) {
     // imaginary DB queries
-    db.queryRefreshToken({refresh_token: refreshToken})
+    return db.queryRefreshToken({refresh_token: refreshToken})
       .then(function(token) {
         return Promise.all([
           token,
@@ -364,7 +364,7 @@ An ``Object`` representing the authorization code and associated data.
 
   function getAuthorizationCode(authorizationCode) {
     // imaginary DB queries
-    db.queryAuthorizationCode({authorization_code: authorizationCode})
+    return db.queryAuthorizationCode({authorization_code: authorizationCode})
       .then(function(code) {
         return Promise.all([
           code,
@@ -446,7 +446,7 @@ The return value (``client``) can carry additional properties that will be ignor
     if (clientSecret) {
       params.client_secret = clientSecret;
     }
-    db.queryClient(params)
+    return db.queryClient(params)
       .then(function(client) {
         return {
           id: client.id,
@@ -985,3 +985,44 @@ Returns ``true`` if the access token passes, ``false`` otherwise.
     return requestedScopes.every(s => authorizedScopes.indexOf(s) >= 0);
   }
 
+--------
+
+.. _Model#validateRedirectUri:
+
+``validateRedirectUri(redirectUri, client, [callback])``
+================================================================
+
+Invoked to check if the provided ``redirectUri`` is valid for a particular ``client``.
+
+This model function is **optional**. If not implemented, the ``redirectUri`` should be included in the provided ``redirectUris`` of the client.
+
+**Invoked during:**
+
+- ``authorization_code`` grant
+
+**Arguments:**
+
++-----------------+----------+---------------------------------------------------------------------+
+| Name            | Type     | Description                                                         |
++=================+==========+=====================================================================+
+| redirect_uri    | String   | The redirect URI to validate.                                       |
++-----------------+----------+---------------------------------------------------------------------+
+| client          | Object   | The associated client.                                              |
++-----------------+----------+---------------------------------------------------------------------+
+
+**Return value:**
+
+Returns ``true`` if the ``redirectUri`` is valid, ``false`` otherwise.
+
+**Remarks:**
+When implementing this method you should take care of possible security risks related to ``redirectUri``.
+.. _rfc6819: https://datatracker.ietf.org/doc/html/rfc6819
+
+Section-5.2.3.5 is implemented by default.
+.. _Section-5.2.3.5: https://datatracker.ietf.org/doc/html/rfc6819#section-5.2.3.5
+
+::
+
+  function validateRedirectUri(redirectUri, client) {
+    return client.redirectUris.includes(redirectUri);
+  }

lib/grant-types/abstract-grant-type.js

@@ -8,7 +8,7 @@ const InvalidArgumentError = require('../errors/invalid-argument-error');
 const InvalidScopeError = require('../errors/invalid-scope-error');
 const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const tokenUtil = require('../utils/token-util');
 
 /**
@@ -83,7 +83,7 @@ AbstractGrantType.prototype.getRefreshTokenExpiresAt = function() {
  */
 
 AbstractGrantType.prototype.getScope = function(request) {
-  if (!is.nqschar(request.body.scope)) {
+  if (!isFormat.nqschar(request.body.scope)) {
     throw new InvalidArgumentError('Invalid parameter: `scope`');
   }
 

lib/grant-types/authorization-code-grant-type.js

@@ -11,7 +11,7 @@ const InvalidRequestError = require('../errors/invalid-request-error');
 const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
 const ServerError = require('../errors/server-error');
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const util = require('util');
 
 /**
@@ -85,7 +85,7 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
     throw new InvalidRequestError('Missing parameter: `code`');
   }
 
-  if (!is.vschar(request.body.code)) {
+  if (!isFormat.vschar(request.body.code)) {
     throw new InvalidRequestError('Invalid parameter: `code`');
   }
   return promisify(this.model.getAuthorizationCode, 1).call(this.model, request.body.code)
@@ -114,7 +114,7 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
         throw new InvalidGrantError('Invalid grant: authorization code has expired');
       }
 
-      if (code.redirectUri && !is.uri(code.redirectUri)) {
+      if (code.redirectUri && !isFormat.uri(code.redirectUri)) {
         throw new InvalidGrantError('Invalid grant: `redirect_uri` is not a valid URI');
       }
 
@@ -140,7 +140,7 @@ AuthorizationCodeGrantType.prototype.validateRedirectUri = function(request, cod
 
   const redirectUri = request.body.redirect_uri || request.query.redirect_uri;
 
-  if (!is.uri(redirectUri)) {
+  if (!isFormat.uri(redirectUri)) {
     throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
   }
 

lib/grant-types/password-grant-type.js

@@ -10,7 +10,7 @@ const InvalidGrantError = require('../errors/invalid-grant-error');
 const InvalidRequestError = require('../errors/invalid-request-error');
 const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const util = require('util');
 
 /**
@@ -80,11 +80,11 @@ PasswordGrantType.prototype.getUser = function(request) {
     throw new InvalidRequestError('Missing parameter: `password`');
   }
 
-  if (!is.uchar(request.body.username)) {
+  if (!isFormat.uchar(request.body.username)) {
     throw new InvalidRequestError('Invalid parameter: `username`');
   }
 
-  if (!is.uchar(request.body.password)) {
+  if (!isFormat.uchar(request.body.password)) {
     throw new InvalidRequestError('Invalid parameter: `password`');
   }
 

lib/grant-types/refresh-token-grant-type.js

@@ -11,7 +11,7 @@ const InvalidRequestError = require('../errors/invalid-request-error');
 const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
 const ServerError = require('../errors/server-error');
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const util = require('util');
 
 /**
@@ -82,7 +82,7 @@ RefreshTokenGrantType.prototype.getRefreshToken = function(request, client) {
     throw new InvalidRequestError('Missing parameter: `refresh_token`');
   }
 
-  if (!is.vschar(request.body.refresh_token)) {
+  if (!isFormat.vschar(request.body.refresh_token)) {
     throw new InvalidRequestError('Invalid parameter: `refresh_token`');
   }
 

lib/handlers/authorize-handler.js

@@ -18,7 +18,7 @@ const Request = require('../request');
 const Response = require('../response');
 const ServerError = require('../errors/server-error');
 const UnauthorizedClientError = require('../errors/unauthorized-client-error');
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const tokenUtil = require('../utils/token-util');
 const url = require('url');
 
@@ -96,6 +96,12 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       let ResponseType;
 
       return Promise.bind(this)
+        .then(function() {
+          state = this.getState(request);
+          if(request.query.allowed === 'false') {
+            throw new AccessDeniedError('Access denied: user denied access to application');
+          }
+        })
         .then(function() {
           const requestedScope = this.getScope(request);
 
@@ -107,7 +113,6 @@ AuthorizeHandler.prototype.handle = function(request, response) {
           return this.generateAuthorizationCode(client, user, scope);
         })
         .then(function(authorizationCode) {
-          state = this.getState(request);
           ResponseType = this.getResponseType(request);
 
           return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
@@ -160,19 +165,20 @@ AuthorizeHandler.prototype.getAuthorizationCodeLifetime = function() {
  */
 
 AuthorizeHandler.prototype.getClient = function(request) {
+  const self = this;
   const clientId = request.body.client_id || request.query.client_id;
 
   if (!clientId) {
     throw new InvalidRequestError('Missing parameter: `client_id`');
   }
 
-  if (!is.vschar(clientId)) {
+  if (!isFormat.vschar(clientId)) {
     throw new InvalidRequestError('Invalid parameter: `client_id`');
   }
 
   const redirectUri = request.body.redirect_uri || request.query.redirect_uri;
 
-  if (redirectUri && !is.uri(redirectUri)) {
+  if (redirectUri && !isFormat.uri(redirectUri)) {
     throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
   }
   return promisify(this.model.getClient, 2).call(this.model, clientId, null)
@@ -193,10 +199,17 @@ AuthorizeHandler.prototype.getClient = function(request) {
         throw new InvalidClientError('Invalid client: missing client `redirectUri`');
       }
 
-      if (redirectUri && !client.redirectUris.includes(redirectUri)) {
-        throw new InvalidClientError('Invalid client: `redirect_uri` does not match client value');
+      if (redirectUri) {
+        return self.validateRedirectUri(redirectUri, client)
+          .then(function(valid) {
+            if (!valid) {
+              throw new InvalidClientError('Invalid client: `redirect_uri` does not match client value');
+            }
+            return client;
+          });
+      } else {
+        return client;
       }
-      return client;
     });
 };
 
@@ -225,7 +238,7 @@ AuthorizeHandler.prototype.validateScope = function(user, client, scope) {
 AuthorizeHandler.prototype.getScope = function(request) {
   const scope = request.body.scope || request.query.scope;
 
-  if (!is.nqschar(scope)) {
+  if (!isFormat.nqschar(scope)) {
     throw new InvalidScopeError('Invalid parameter: `scope`');
   }
 
@@ -238,13 +251,14 @@ AuthorizeHandler.prototype.getScope = function(request) {
 
 AuthorizeHandler.prototype.getState = function(request) {
   const state = request.body.state || request.query.state;
-
-  if (!this.allowEmptyState && !state) {
-    throw new InvalidRequestError('Missing parameter: `state`');
-  }
-
-  if (!is.vschar(state)) {
-    throw new InvalidRequestError('Invalid parameter: `state`');
+  const stateExists = state && state.length > 0;
+  const stateIsValid = stateExists
+    ? isFormat.vschar(state)
+    : this.allowEmptyState;
+
+  if (!stateIsValid) {
+    const message = (!stateExists) ? 'Missing' : 'Invalid';
+    throw new InvalidRequestError(`${message} parameter: \`state\``);
   }
 
   return state;
@@ -289,6 +303,14 @@ AuthorizeHandler.prototype.saveAuthorizationCode = function(authorizationCode, e
   return promisify(this.model.saveAuthorizationCode, 3).call(this.model, code, client, user);
 };
 
+
+AuthorizeHandler.prototype.validateRedirectUri = function(redirectUri, client) {
+  if (this.model.validateRedirectUri) {
+    return promisify(this.model.validateRedirectUri, 2).call(this.model, redirectUri, client);
+  }
+
+  return Promise.resolve(client.redirectUris.includes(redirectUri));
+};
 /**
  * Get response type.
  */

lib/handlers/token-handler.js

@@ -18,7 +18,7 @@ const TokenModel = require('../models/token-model');
 const UnauthorizedClientError = require('../errors/unauthorized-client-error');
 const UnsupportedGrantTypeError = require('../errors/unsupported-grant-type-error');
 const auth = require('basic-auth');
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 
 /**
  * Grant types.
@@ -123,11 +123,11 @@ TokenHandler.prototype.getClient = function(request, response) {
     throw new InvalidRequestError('Missing parameter: `client_secret`');
   }
 
-  if (!is.vschar(credentials.clientId)) {
+  if (!isFormat.vschar(credentials.clientId)) {
     throw new InvalidRequestError('Invalid parameter: `client_id`');
   }
 
-  if (credentials.clientSecret && !is.vschar(credentials.clientSecret)) {
+  if (credentials.clientSecret && !isFormat.vschar(credentials.clientSecret)) {
     throw new InvalidRequestError('Invalid parameter: `client_secret`');
   }
 
@@ -203,7 +203,7 @@ TokenHandler.prototype.handleGrantType = function(request, client) {
     throw new InvalidRequestError('Missing parameter: `grant_type`');
   }
 
-  if (!is.nchar(grantType) && !is.uri(grantType)) {
+  if (!isFormat.nchar(grantType) && !isFormat.uri(grantType)) {
     throw new InvalidRequestError('Invalid parameter: `grant_type`');
   }