diff --git a/lib/oauth2.js b/lib/oauth2.js index 8f879633..589f045b 100644 --- a/lib/oauth2.js +++ b/lib/oauth2.js @@ -75,7 +75,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc realHeaders['Host']= parsedUrl.host; realHeaders['Content-Length']= post_body ? Buffer.byteLength(post_body) : 0; - if( access_token ) { + if( access_token && !('Authorization' in headers)) { if( ! parsedUrl.query ) parsedUrl.query= {}; parsedUrl.query[this._accessTokenName]= access_token; } diff --git a/tests/oauth2.js b/tests/oauth2.js index 0d2dd38e..e6dda0a1 100644 --- a/tests/oauth2.js +++ b/tests/oauth2.js @@ -1,7 +1,8 @@ var vows = require('vows'), assert = require('assert'), https = require('https'), - OAuth2= require('../lib/oauth2').OAuth2; + OAuth2= require('../lib/oauth2').OAuth2, + url = require('url'); vows.describe('OAuth2').addBatch({ 'Given an OAuth2 instance with clientId and clientSecret, ': { @@ -16,6 +17,16 @@ vows.describe('OAuth2').addBatch({ assert.equal( refresh_token, "refresh"); }); }, + 'we should not include access token in both querystring and headers': function (oa) { + oa._request = new OAuth2("clientId", "clientSecret")._request.bind(oa); + oa._executeRequest= function( http_library, options, post_body, callback) { + callback(null, url.parse(options.path, true).query, options.headers); + }; + oa.get("/userinfo", 'access', function(error, query, headers) { + assert.ok( !('access_token' in query), "access_token not in query"); + assert.ok( 'Authorization' in headers, "Authorization in headers"); + }); + }, 'we should correctly extract the token if received as a JSON literal': function (oa) { oa._request= function(method, url, headers, post_body, access_token, callback) { callback(null, '{"access_token":"access","refresh_token":"refresh"}');