Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scope is optional with authorization code grant #103

Closed
wants to merge 5 commits into from

Conversation

FStefanni
Copy link
Contributor

@FStefanni FStefanni commented Dec 8, 2021

Summary

This pr makes the scope optional with the authorization code grant.

Please note that this code differs from the original pr.
This is due to my understanding of the specification (which could be wrong, so please validate).
The cited RFC section states that scope is optional, so, for what I understand:

  • If scope is missing: OK, no problem
  • If scope is given, then it must be valid

Conversely, the original pr did not check the scope at all, so, if a invalid scope where given, it would have passed successfully (which seems to me incorrect).

Linked issue(s)

Related to #89, point 19, original pr oauthjs/node-oauth2-server#647

@jankapunkt: Other related issues: #84 #79 #71 #64

Added tests?

Yes

OAuth2 standard

RFC 6749 section-4.1.1

Copy link
Member

@jankapunkt jankapunkt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FStefanni this is correct, scope is optional but if it's invalid there should be no other codes be generated, see #64 #84 so please add these two into consideration.

lib/grant-types/authorization-code-grant-type.js Outdated Show resolved Hide resolved
@jankapunkt jankapunkt added compliance 📜 OAuth 2.0 standard compliance security ❗ Address a security issue labels Dec 10, 2021
@FStefanni
Copy link
Contributor Author

Hi,

@jankapunkt
@jorenvandeweyer
@Uzlopak

I have updated the pr, so please check whether I have understood the comments, or something is still missing.
Btw, I have also found and fixed a bug in AbstractGrantType.prototype.validateScope(): it did not return a promise in all cases (but now it does).

Regards

@Uzlopak
Copy link
Collaborator

Uzlopak commented Dec 12, 2021

To be honest: I dont like it.

I expected a minimal change like this:

AuthorizationCodeGrantType.prototype.saveToken = function(user, client, authorizationCode, requestedScope) {

  const scope = await this.validateScope(user, client, requestedScope);
  const fns = [
      this.generateAccessToken(client, user, scope),
      this.generateRefreshToken(client, user, scope),
      this.getAccessTokenExpiresAt(),
      this.getRefreshTokenExpiresAt()
    ];

  return Promise.all(fns)
    .bind(this)
    .spread(function(accessToken, refreshToken, accessTokenExpiresAt, refreshTokenExpiresAt) {
      const token = {
        accessToken: accessToken,
        authorizationCode: authorizationCode,
        accessTokenExpiresAt: accessTokenExpiresAt,
        refreshToken: refreshToken,
        refreshTokenExpiresAt: refreshTokenExpiresAt,
        scope: scope
      };

      return promisify(this.model.saveToken, 3).call(this.model, token, client, user);
    });
};

@jorenvandeweyer
Copy link
Member

I also think you can just use await like @Uzlopak suggests. @jwerre is already rewriting the code base to use await everywhere else.

@jankapunkt
Copy link
Member

I would wait until it's done with the rewrite and currently focus on integrity for the current state of code. I wil review later today

@FStefanni
Copy link
Contributor Author

Hi,

I have re-written by using await, but now 3 tests fail.
I am not able to fix them... can someone help please?

Regards

@Uzlopak
Copy link
Collaborator

Uzlopak commented Dec 18, 2021

I like your change. Good work!

I would suggest to delete the failing tests, but this could be an inconsistency throughout the codebase. We should wait till everywhere is async await and then merge your change.

@jankapunkt
Copy link
Member

@FStefanni no worries we will check out what's going on here

@jankapunkt
Copy link
Member

@Uzlopak @HappyZombies @jorenvandeweyer should this also be added to 4.2.0? I think it's not really "breaking" so I would add it to the release.

@jankapunkt jankapunkt added this to the v4.3 milestone Aug 25, 2022
@jankapunkt jankapunkt changed the base branch from development to v4.3.0-dev August 25, 2022 12:30
@jankapunkt jankapunkt modified the milestones: v4.3, v4.4 Mar 21, 2023
@jankapunkt jankapunkt changed the base branch from v4.3.0-dev to development August 7, 2023 11:28
@@ -97,7 +97,7 @@ AbstractGrantType.prototype.validateScope = async function(user, client, scope)

return validatedScope;
} else {
return scope;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not necessary anymore since the function is async now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compliance 📜 OAuth 2.0 standard compliance security ❗ Address a security issue
Projects
None yet
4 participants