bug: Don't require nonce

toupeira · toupeira · commit d2945da47e6c · 2016-11-05T19:03:40.000+01:00
diff --git a/lib/doorkeeper/openid_connect/oauth/authorization/code.rb b/lib/doorkeeper/openid_connect/oauth/authorization/code.rb
@@ -5,10 +5,12 @@ module Authorization
         module Code
           def issue_token
             super.tap do |access_grant|
-              ::Doorkeeper::OpenidConnect::Nonce.create!(
-                access_grant: access_grant,
-                nonce: pre_auth.nonce
-              )
+              if pre_auth.nonce
+                ::Doorkeeper::OpenidConnect::Nonce.create!(
+                  access_grant: access_grant,
+                  nonce: pre_auth.nonce
+                )
+              end
             end
           end
         end
diff --git a/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb b/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb
@@ -6,7 +6,7 @@ module AuthorizationCodeRequest
 
         def after_successful_response
           super
-          id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, grant.openid_connect_nonce.use!)
+          id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, grant.openid_connect_nonce.try(:use!))
           @response.id_token = id_token
         end
       end
diff --git a/spec/lib/oauth/authorization/code_spec.rb b/spec/lib/oauth/authorization/code_spec.rb
@@ -28,6 +28,13 @@
       })
     end
 
+    it 'does not store the nonce if not present' do
+      allow(pre_auth).to receive(:nonce) { nil }
+      subject.issue_token
+
+      expect(Doorkeeper::OpenidConnect::Nonce).to_not have_received(:create!)
+    end
+
     it 'returns the created grant' do
       expect(subject.issue_token).to be_a Doorkeeper::AccessGrant
     end
diff --git a/spec/lib/oauth/authorization_code_request_spec.rb b/spec/lib/oauth/authorization_code_request_spec.rb
@@ -1,7 +1,13 @@
 require 'rails_helper'
 
 describe Doorkeeper::OpenidConnect::OAuth::AuthorizationCodeRequest do
-  subject { Doorkeeper::OAuth::AuthorizationCodeRequest.new server, grant, client }
+  subject {
+    Doorkeeper::OAuth::AuthorizationCodeRequest.new(server, grant, client).tap do |request|
+      request.instance_variable_set '@response', response
+      request.access_token = token
+    end
+  }
+
   let(:server) { double }
   let(:client) { double }
   let(:grant) { create :access_grant, openid_connect_nonce: nonce }
@@ -11,12 +17,17 @@
 
   describe '#after_successful_response' do
     it 'adds the ID token to the response' do
-      subject.instance_variable_set '@response', response
-      subject.access_token = token
       subject.send :after_successful_response
 
       expect(response.id_token).to be_a Doorkeeper::OpenidConnect::Models::IdToken
       expect(response.id_token.nonce).to eq '123456'
     end
+
+    it 'skips the nonce if not present' do
+      grant.openid_connect_nonce = nil
+      subject.send :after_successful_response
+
+      expect(response.id_token.nonce).to be_nil
+    end
   end
 end
