Fixes Issue #129

Not ideal, but effectively reverts the default behaviour of the library to how 0.9.8 worked, that is it passes the access_token as a query parameter to the server. To allow the utility 'get' method to use an Authorization header *instead* then you need to explicitly enable this behaviour by using the method : var oa= new Oauth(...); oa.useAuthorizationHeaderforGET(true) Note this can/should be used in conjunction with the other utility method: oa.setAuthMethod(...) The default value for the Authorization header is 'Bearer' If you're building your own requests using oa._request then there is a new exported method: oa.buildAuthHeader(token)
ciaranj · Mar 5, 2013 · 03d713b · 03d713b
1 parent ba81ad4
commit 03d713b
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 17 deletions.
diff --git a/lib/oauth2.js b/lib/oauth2.js
@@ -14,6 +14,7 @@ exports.OAuth2= function(clientId, clientSecret, baseSite, authorizePath, access
   this._accessTokenName= "access_token";
   this._authMethod= "Bearer";
   this._customHeaders = customHeaders || {};
+  this._useAuthorizationHeaderForGET= false;
 }
 
 // This 'hack' method is required for sites that don't use
@@ -31,13 +32,20 @@ exports.OAuth2.prototype.setAuthMethod = function ( authMethod ) {
   this._authMethod = authMethod;
 };
 
+
+// If you use the OAuth2 exposed 'get' method (and don't construct your own _request call )
+// this will specify whether to use an 'Authorize' header instead of passing the access_token as a query parameter
+exports.OAuth2.prototype.useAuthorizationHeaderforGET = function(useIt) {
+  this._useAuthorizationHeaderForGET= useIt;
+}
+
 exports.OAuth2.prototype._getAccessTokenUrl= function() {
   return this._baseSite + this._accessTokenUrl; /* + "?" + querystring.stringify(params); */
 }
 
 // Build the authorization header. In particular, build the part after the colon.
 // e.g. Authorization: Bearer <token>  # Build "Bearer <token>"
-exports.OAuth2.prototype._buildAuthHeader= function(token) {
+exports.OAuth2.prototype.buildAuthHeader= function(token) {
   return this._authMethod + ' ' + token;
 };
 
@@ -178,8 +186,12 @@ exports.OAuth2.prototype.getProtectedResource= function(url, access_token, callb
 }
 
 exports.OAuth2.prototype.get= function(url, access_token, callback) {
-  var headers= {
-    'Authorization': this._buildAuthHeader(access_token)
-  };
+  if( this._useAuthorizationHeaderForGET ) {
+    var headers= {'Authorization': this.buildAuthHeader(access_token) }
+    access_token= null;
+  }
+  else {
+    headers= {};
+  }
   this._request("GET", url, headers, "", access_token, callback );
 }
diff --git a/tests/oauth2.js b/tests/oauth2.js
@@ -64,21 +64,39 @@ vows.describe('OAuth2').addBatch({
           oa.getOAuthAccessToken("sdsds2", {grant_type:"refresh_token"} );
         }
       },
-      'When calling get with the default authorization method': {
-        'we should pass the authorization header with Bearer method and value of the access_token' : function(oa) {
-          oa._request= function(method, url, headers, post_body, access_token, callback) {
-            assert.equal(headers["Authorization"], "Bearer abcd5");
-          };
-          oa.get("", "abcd5");
+      'When we use the authorization header': {
+        'and call get with the default authorization method': {
+          'we should pass the authorization header with Bearer method and value of the access_token, _request should be passed a null access_token' : function(oa) {
+            oa._request= function(method, url, headers, post_body, access_token, callback) {
+              assert.equal(headers["Authorization"], "Bearer abcd5");
+              assert.isNull( access_token );
+            };
+            oa.useAuthorizationHeaderforGET(true);
+            oa.get("", "abcd5");
+          }
+        },
+        'and call get with the authorization method set to Basic': {
+          'we should pass the authorization header with Basic method and value of the access_token, _request should be passed a null access_token' : function(oa) {
+            oa._request= function(method, url, headers, post_body, access_token, callback) {
+              assert.equal(headers["Authorization"], "Basic cdg2");
+              assert.isNull( access_token );
+            };
+            oa.useAuthorizationHeaderforGET(true);
+            oa.setAuthMethod("Basic");
+            oa.get("", "cdg2");
+          }
         }
       },
-      'When calling get with the authorization method set to Basic': {
-        'we should pass the authorization header with Basic method and value of the access_token' : function(oa) {
-          oa._request= function(method, url, headers, post_body, access_token, callback) {
-            assert.equal(headers["Authorization"], "Basic cdg2");
-          };
-          oa.setAuthMethod("Basic");
-          oa.get("", "cdg2");
+      'When we do not use the authorization header': {
+        'and call get': {
+          'we should pass NOT provide an authorization header and the access_token should be being passed to _request' : function(oa) {
+            oa._request= function(method, url, headers, post_body, access_token, callback) {
+              assert.isUndefined(headers["Authorization"]);
+              assert.equal( access_token, "abcd5" );
+            };
+            oa.useAuthorizationHeaderforGET(false);
+            oa.get("", "abcd5");
+          }
         }
       }
     },