From d2945da47e6c78a6f30240e14ab8981a7a9b3399 Mon Sep 17 00:00:00 2001 From: Markus Koller Date: Sat, 5 Nov 2016 18:58:49 +0100 Subject: [PATCH] bug: Don't require nonce --- .../openid_connect/oauth/authorization/code.rb | 10 ++++++---- .../oauth/authorization_code_request.rb | 2 +- spec/lib/oauth/authorization/code_spec.rb | 7 +++++++ .../oauth/authorization_code_request_spec.rb | 17 ++++++++++++++--- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/lib/doorkeeper/openid_connect/oauth/authorization/code.rb b/lib/doorkeeper/openid_connect/oauth/authorization/code.rb index 7fec7d2..56eb9e0 100644 --- a/lib/doorkeeper/openid_connect/oauth/authorization/code.rb +++ b/lib/doorkeeper/openid_connect/oauth/authorization/code.rb @@ -5,10 +5,12 @@ module Authorization module Code def issue_token super.tap do |access_grant| - ::Doorkeeper::OpenidConnect::Nonce.create!( - access_grant: access_grant, - nonce: pre_auth.nonce - ) + if pre_auth.nonce + ::Doorkeeper::OpenidConnect::Nonce.create!( + access_grant: access_grant, + nonce: pre_auth.nonce + ) + end end end end diff --git a/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb b/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb index 27f0890..9ba9a2a 100644 --- a/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb +++ b/lib/doorkeeper/openid_connect/oauth/authorization_code_request.rb @@ -6,7 +6,7 @@ module AuthorizationCodeRequest def after_successful_response super - id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, grant.openid_connect_nonce.use!) + id_token = Doorkeeper::OpenidConnect::Models::IdToken.new(access_token, grant.openid_connect_nonce.try(:use!)) @response.id_token = id_token end end diff --git a/spec/lib/oauth/authorization/code_spec.rb b/spec/lib/oauth/authorization/code_spec.rb index 50ea947..466c241 100644 --- a/spec/lib/oauth/authorization/code_spec.rb +++ b/spec/lib/oauth/authorization/code_spec.rb @@ -28,6 +28,13 @@ }) end + it 'does not store the nonce if not present' do + allow(pre_auth).to receive(:nonce) { nil } + subject.issue_token + + expect(Doorkeeper::OpenidConnect::Nonce).to_not have_received(:create!) + end + it 'returns the created grant' do expect(subject.issue_token).to be_a Doorkeeper::AccessGrant end diff --git a/spec/lib/oauth/authorization_code_request_spec.rb b/spec/lib/oauth/authorization_code_request_spec.rb index f86cb00..dd7d882 100644 --- a/spec/lib/oauth/authorization_code_request_spec.rb +++ b/spec/lib/oauth/authorization_code_request_spec.rb @@ -1,7 +1,13 @@ require 'rails_helper' describe Doorkeeper::OpenidConnect::OAuth::AuthorizationCodeRequest do - subject { Doorkeeper::OAuth::AuthorizationCodeRequest.new server, grant, client } + subject { + Doorkeeper::OAuth::AuthorizationCodeRequest.new(server, grant, client).tap do |request| + request.instance_variable_set '@response', response + request.access_token = token + end + } + let(:server) { double } let(:client) { double } let(:grant) { create :access_grant, openid_connect_nonce: nonce } @@ -11,12 +17,17 @@ describe '#after_successful_response' do it 'adds the ID token to the response' do - subject.instance_variable_set '@response', response - subject.access_token = token subject.send :after_successful_response expect(response.id_token).to be_a Doorkeeper::OpenidConnect::Models::IdToken expect(response.id_token.nonce).to eq '123456' end + + it 'skips the nonce if not present' do + grant.openid_connect_nonce = nil + subject.send :after_successful_response + + expect(response.id_token.nonce).to be_nil + end end end