From 798157c1859ef291da85311b000eef87d9b27835 Mon Sep 17 00:00:00 2001 From: "Jose F. Romaniello" Date: Tue, 5 Mar 2013 04:04:00 -0300 Subject: [PATCH] fix #129 Setting token in query params and Authorization header violates spec --- lib/oauth2.js | 2 +- tests/oauth2.js | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/oauth2.js b/lib/oauth2.js index 7aec9eb9..34f05425 100644 --- a/lib/oauth2.js +++ b/lib/oauth2.js @@ -67,7 +67,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc realHeaders['Host']= parsedUrl.host; realHeaders['Content-Length']= post_body ? Buffer.byteLength(post_body) : 0; - if( access_token ) { + if( access_token && !('Authorization' in headers)) { if( ! parsedUrl.query ) parsedUrl.query= {}; parsedUrl.query[this._accessTokenName]= access_token; } diff --git a/tests/oauth2.js b/tests/oauth2.js index 2afa29cd..3db23c3f 100644 --- a/tests/oauth2.js +++ b/tests/oauth2.js @@ -1,7 +1,8 @@ var vows = require('vows'), assert = require('assert'), https = require('https'), - OAuth2= require('../lib/oauth2').OAuth2; + OAuth2= require('../lib/oauth2').OAuth2, + url = require('url'); vows.describe('OAuth2').addBatch({ 'Given an OAuth2 instance with clientId and clientSecret, ': { @@ -16,6 +17,16 @@ vows.describe('OAuth2').addBatch({ assert.equal( refresh_token, "refresh"); }); }, + 'we should not include access token in both querystring and headers': function (oa) { + oa._request = new OAuth2("clientId", "clientSecret")._request.bind(oa); + oa._executeRequest= function( http_library, options, post_body, callback) { + callback(null, url.parse(options.path, true).query, options.headers); + }; + oa.get("/userinfo", 'access', function(error, query, headers) { + assert.ok( !('access_token' in query), "access_token not in query"); + assert.ok( 'Authorization' in headers, "Authorization in headers"); + }); + }, 'we should correctly extract the token if received as a JSON literal': function (oa) { oa._request= function(method, url, headers, post_body, access_token, callback) { callback(null, '{"access_token":"access","refresh_token":"refresh"}');