From 03d713be9abaa52a2d7ac068ef60c0236d65e946 Mon Sep 17 00:00:00 2001
From: ciaranj <ciaranj@gmail.com>
Date: Tue, 5 Mar 2013 17:34:20 +0000
Subject: [PATCH] Fixes Issue #129

Not ideal, but effectively reverts the default behaviour of the library to how 0.9.8 worked,
that is it passes the access_token as a query parameter to the server.

To allow the utility 'get' method to use an Authorization header *instead* then you need to
explicitly enable this behaviour by using the method :

  var oa= new Oauth(...);
  oa.useAuthorizationHeaderforGET(true)

Note this can/should be used in conjunction with the other utility method:

  oa.setAuthMethod(...)

The default value for the Authorization header is 'Bearer'

If you're building your own requests using oa._request then there is a new exported
method:

  oa.buildAuthHeader(token)
---
 lib/oauth2.js   | 20 ++++++++++++++++----
 tests/oauth2.js | 44 +++++++++++++++++++++++++++++++-------------
 2 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/lib/oauth2.js b/lib/oauth2.js
index 7aec9eb9..8f879633 100644
--- a/lib/oauth2.js
+++ b/lib/oauth2.js
@@ -14,6 +14,7 @@ exports.OAuth2= function(clientId, clientSecret, baseSite, authorizePath, access
   this._accessTokenName= "access_token";
   this._authMethod= "Bearer";
   this._customHeaders = customHeaders || {};
+  this._useAuthorizationHeaderForGET= false;
 }
 
 // This 'hack' method is required for sites that don't use
@@ -31,13 +32,20 @@ exports.OAuth2.prototype.setAuthMethod = function ( authMethod ) {
   this._authMethod = authMethod;
 };
 
+
+// If you use the OAuth2 exposed 'get' method (and don't construct your own _request call )
+// this will specify whether to use an 'Authorize' header instead of passing the access_token as a query parameter
+exports.OAuth2.prototype.useAuthorizationHeaderforGET = function(useIt) {
+  this._useAuthorizationHeaderForGET= useIt;
+}
+
 exports.OAuth2.prototype._getAccessTokenUrl= function() {
   return this._baseSite + this._accessTokenUrl; /* + "?" + querystring.stringify(params); */
 }
 
 // Build the authorization header. In particular, build the part after the colon.
 // e.g. Authorization: Bearer <token>  # Build "Bearer <token>"
-exports.OAuth2.prototype._buildAuthHeader= function(token) {
+exports.OAuth2.prototype.buildAuthHeader= function(token) {
   return this._authMethod + ' ' + token;
 };
 
@@ -178,8 +186,12 @@ exports.OAuth2.prototype.getProtectedResource= function(url, access_token, callb
 }
 
 exports.OAuth2.prototype.get= function(url, access_token, callback) {
-  var headers= {
-    'Authorization': this._buildAuthHeader(access_token)
-  };
+  if( this._useAuthorizationHeaderForGET ) {
+    var headers= {'Authorization': this.buildAuthHeader(access_token) }
+    access_token= null;
+  }
+  else {
+    headers= {};
+  }
   this._request("GET", url, headers, "", access_token, callback );
 }
diff --git a/tests/oauth2.js b/tests/oauth2.js
index 2afa29cd..0d2dd38e 100644
--- a/tests/oauth2.js
+++ b/tests/oauth2.js
@@ -64,21 +64,39 @@ vows.describe('OAuth2').addBatch({
           oa.getOAuthAccessToken("sdsds2", {grant_type:"refresh_token"} );
         }
       },
-      'When calling get with the default authorization method': {
-        'we should pass the authorization header with Bearer method and value of the access_token' : function(oa) {
-          oa._request= function(method, url, headers, post_body, access_token, callback) {
-            assert.equal(headers["Authorization"], "Bearer abcd5");
-          };
-          oa.get("", "abcd5");
+      'When we use the authorization header': {
+        'and call get with the default authorization method': {
+          'we should pass the authorization header with Bearer method and value of the access_token, _request should be passed a null access_token' : function(oa) {
+            oa._request= function(method, url, headers, post_body, access_token, callback) {
+              assert.equal(headers["Authorization"], "Bearer abcd5");
+              assert.isNull( access_token );
+            };
+            oa.useAuthorizationHeaderforGET(true);
+            oa.get("", "abcd5");
+          }
+        },
+        'and call get with the authorization method set to Basic': {
+          'we should pass the authorization header with Basic method and value of the access_token, _request should be passed a null access_token' : function(oa) {
+            oa._request= function(method, url, headers, post_body, access_token, callback) {
+              assert.equal(headers["Authorization"], "Basic cdg2");
+              assert.isNull( access_token );
+            };
+            oa.useAuthorizationHeaderforGET(true);
+            oa.setAuthMethod("Basic");
+            oa.get("", "cdg2");
+          }
         }
       },
-      'When calling get with the authorization method set to Basic': {
-        'we should pass the authorization header with Basic method and value of the access_token' : function(oa) {
-          oa._request= function(method, url, headers, post_body, access_token, callback) {
-            assert.equal(headers["Authorization"], "Basic cdg2");
-          };
-          oa.setAuthMethod("Basic");
-          oa.get("", "cdg2");
+      'When we do not use the authorization header': {
+        'and call get': {
+          'we should pass NOT provide an authorization header and the access_token should be being passed to _request' : function(oa) {
+            oa._request= function(method, url, headers, post_body, access_token, callback) {
+              assert.isUndefined(headers["Authorization"]);
+              assert.equal( access_token, "abcd5" );
+            };
+            oa.useAuthorizationHeaderforGET(false);
+            oa.get("", "abcd5");
+          }
         }
       }
     },