Merge branch 'development' into dependabot/npm_and_yarn/eslint-8.54.0

node-oauth · Nov 30, 2023 · 6c670e2 · 6c670e2
2 parents 32fe5fe + 9562aa9
commit 6c670e2
Show file tree

Hide file tree

Showing 13 changed files with 98 additions and 117 deletions.
diff --git a/index.d.ts b/index.d.ts
@@ -148,7 +148,7 @@ declare namespace OAuth2Server {
          * Validate requested scope. Calls Model#validateScope() if implemented.
          *
          */
-        validateScope(user: User, client: Client, scope: string[]): Promise<string[] | Falsey>;
+        validateScope(user: User, client: Client, scope?: string[]): Promise<string[] | Falsey>;
 
         /**
          * Retrieve info from the request and client and return token
@@ -314,7 +314,7 @@ declare namespace OAuth2Server {
          * Invoked to check if the requested scope is valid for a particular client/user combination.
          *
          */
-        validateScope?(user: User, client: Client, scope: string[]): Promise<string[] | Falsey>;
+        validateScope?(user: User, client: Client, scope?: string[]): Promise<string[] | Falsey>;
 
         /**
          * Invoked to check if the provided `redirectUri` is valid for a particular `client`.
@@ -340,7 +340,7 @@ declare namespace OAuth2Server {
          * Invoked to check if the requested scope is valid for a particular client/user combination.
          *
          */
-        validateScope?(user: User, client: Client, scope: string[]): Promise<string[] | Falsey>;
+        validateScope?(user: User, client: Client, scope?: string[]): Promise<string[] | Falsey>;
     }
 
     interface RefreshTokenModel extends BaseModel, RequestAuthenticationModel {
@@ -374,7 +374,7 @@ declare namespace OAuth2Server {
          * Invoked to check if the requested scope is valid for a particular client/user combination.
          *
          */
-        validateScope?(user: User, client: Client, scope: string[]): Promise<string[] | Falsey>;
+        validateScope?(user: User, client: Client, scope?: string[]): Promise<string[] | Falsey>;
     }
 
     interface ExtensionModel extends BaseModel, RequestAuthenticationModel {}

diff --git a/lib/handlers/authenticate-handler.js b/lib/handlers/authenticate-handler.js
@@ -13,6 +13,7 @@ const Request = require('../request');
 const Response = require('../response');
 const ServerError = require('../errors/server-error');
 const UnauthorizedRequestError = require('../errors/unauthorized-request-error');
+const { parseScope } = require('../utils/scope-util');
 
 /**
  * Constructor.
@@ -46,7 +47,7 @@ class AuthenticateHandler {
     this.addAuthorizedScopesHeader = options.addAuthorizedScopesHeader;
     this.allowBearerTokensInQueryString = options.allowBearerTokensInQueryString;
     this.model = options.model;
-    this.scope = options.scope;
+    this.scope = parseScope(options.scope);
   }
 
   /**

diff --git a/lib/handlers/token-handler.js b/lib/handlers/token-handler.js
@@ -266,6 +266,12 @@ class TokenHandler {
   updateSuccessResponse (response, tokenType) {
     response.body = tokenType.valueOf();
 
+    // for compliance reasons we rebuild the internal scope to be a string
+    // https://datatracker.ietf.org/doc/html/rfc6749.html#section-5.1
+    if (response.body.scope) {
+      response.body.scope = response.body.scope.join(' ');
+    }
+
     response.set('Cache-Control', 'no-store');
     response.set('Pragma', 'no-cache');
   }

diff --git a/lib/utils/scope-util.js b/lib/utils/scope-util.js
@@ -1,16 +1,25 @@
 const isFormat = require('@node-oauth/formats');
 const InvalidScopeError = require('../errors/invalid-scope-error');
+const whiteSpace = /\s+/g;
 
 module.exports = {
   parseScope: function (requestedScope) {
-    if (!isFormat.nqschar(requestedScope)) {
+    if (requestedScope == null) {
+      return undefined;
+    }
+
+    if (typeof requestedScope !== 'string') {
       throw new InvalidScopeError('Invalid parameter: `scope`');
     }
 
-    if (requestedScope == null) {
-      return undefined;
+    // XXX: this prevents spaced-only strings to become
+    // treated as valid nqchar by making them empty strings
+    requestedScope = requestedScope.trim();
+
+    if(!isFormat.nqschar(requestedScope)) {
+      throw new InvalidScopeError('Invalid parameter: `scope`');
     }
 
-    return requestedScope.split(' ');
+    return requestedScope.split(whiteSpace);
   }
 };
diff --git a/lib/validator/is.js b/lib/validator/is.js
diff --git a/test/compliance/client-credential-workflow_test.js b/test/compliance/client-credential-workflow_test.js
@@ -90,7 +90,7 @@ describe('ClientCredentials Workflow Compliance (4.4)', function () {
       response.body.token_type.should.equal('Bearer');
       response.body.access_token.should.equal(token.accessToken);
       response.body.expires_in.should.be.a('number');
-      response.body.scope.should.eql(['read', 'write']);
+      response.body.scope.should.eql('read write');
       ('refresh_token' in response.body).should.equal(false);
 
       token.accessToken.should.be.a('string');

diff --git a/test/compliance/password-grant-type_test.js b/test/compliance/password-grant-type_test.js
@@ -101,7 +101,7 @@ describe('PasswordGrantType Compliance', function () {
       response.body.access_token.should.equal(token.accessToken);
       response.body.refresh_token.should.equal(token.refreshToken);
       response.body.expires_in.should.be.a('number');
-      response.body.scope.should.eql(['read', 'write']);
+      response.body.scope.should.eql('read write');
 
       token.accessToken.should.be.a('string');
       token.refreshToken.should.be.a('string');

diff --git a/test/compliance/refresh-token-grant-type_test.js b/test/compliance/refresh-token-grant-type_test.js
@@ -124,7 +124,7 @@ describe('RefreshTokenGrantType Compliance', function () {
       refreshResponse.body.access_token.should.equal(token.accessToken);
       refreshResponse.body.refresh_token.should.equal(token.refreshToken);
       refreshResponse.body.expires_in.should.be.a('number');
-      refreshResponse.body.scope.should.eql(['read', 'write']);
+      refreshResponse.body.scope.should.eql('read write');
 
       token.accessToken.should.be.a('string');
       token.refreshToken.should.be.a('string');
@@ -223,7 +223,7 @@ describe('RefreshTokenGrantType Compliance', function () {
       refreshResponse.body.access_token.should.equal(token.accessToken);
       refreshResponse.body.refresh_token.should.equal(token.refreshToken);
       refreshResponse.body.expires_in.should.be.a('number');
-      refreshResponse.body.scope.should.eql(['read']);
+      refreshResponse.body.scope.should.eql('read');
     });
   });
 });
diff --git a/test/helpers/model.js b/test/helpers/model.js
@@ -10,6 +10,9 @@ function createModel (db) {
   }
 
   async function saveToken (token, client, user) {
+    if (token.scope && !Array.isArray(token.scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     const meta = {
       clientId: client.id,
       userId: user.id,
@@ -38,7 +41,9 @@ function createModel (db) {
     if (!meta) {
       return false;
     }
-
+    if (meta.scope && !Array.isArray(meta.scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     return {
       accessToken,
       accessTokenExpiresAt: meta.accessTokenExpiresAt,
@@ -54,7 +59,9 @@ function createModel (db) {
     if (!meta) {
       return false;
     }
-
+    if (meta.scope && !Array.isArray(meta.scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     return {
       refreshToken,
       refreshTokenExpiresAt: meta.refreshTokenExpiresAt,
@@ -71,6 +78,9 @@ function createModel (db) {
   }
 
   async function verifyScope (token, scope) {
+    if (!Array.isArray(scope)) {
+      throw new Error('Scope should internally be an array');
+    }
     return scope.every(s => scopes.includes(s));
   }
 

diff --git a/test/integration/handlers/authenticate-handler_test.js b/test/integration/handlers/authenticate-handler_test.js
@@ -93,7 +93,7 @@ describe('AuthenticateHandler integration', function() {
         addAcceptedScopesHeader: true,
         addAuthorizedScopesHeader: true,
         model: model,
-        scope: ['foobar']
+        scope: 'foobar'
       });
 
       grantType.scope.should.eql(['foobar']);
@@ -254,7 +254,7 @@ describe('AuthenticateHandler integration', function() {
           return true;
         }
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' });
       const request = new Request({
         body: {},
         headers: { 'Authorization': 'Bearer foo' },
@@ -522,7 +522,7 @@ describe('AuthenticateHandler integration', function() {
           return false;
         }
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' });
 
       return handler.verifyScope(['foo'])
         .then(should.fail)
@@ -539,7 +539,7 @@ describe('AuthenticateHandler integration', function() {
           return true;
         }
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' });
 
       handler.verifyScope(['foo']).should.be.an.instanceOf(Promise);
     });
@@ -551,7 +551,7 @@ describe('AuthenticateHandler integration', function() {
           return true;
         }
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' });
 
       handler.verifyScope(['foo']).should.be.an.instanceOf(Promise);
     });
@@ -576,7 +576,7 @@ describe('AuthenticateHandler integration', function() {
         getAccessToken: function() {},
         verifyScope: function() {}
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: false, model: model, scope: ['foo', 'bar'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: false, model: model, scope: 'foo bar' });
       const response = new Response({ body: {}, headers: {} });
 
       handler.updateResponse(response, { scope: ['foo', 'biz'] });
@@ -602,7 +602,7 @@ describe('AuthenticateHandler integration', function() {
         getAccessToken: function() {},
         verifyScope: function() {}
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: false, addAuthorizedScopesHeader: true, model: model, scope: ['foo', 'bar'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: false, addAuthorizedScopesHeader: true, model: model, scope: 'foo bar' });
       const response = new Response({ body: {}, headers: {} });
 
       handler.updateResponse(response, { scope: ['foo', 'biz'] });

diff --git a/test/integration/handlers/token-handler_test.js b/test/integration/handlers/token-handler_test.js
@@ -329,7 +329,7 @@ describe('TokenHandler integration', function() {
     });
 
     it('should not return custom attributes in a bearer token if the allowExtendedTokenAttributes is not set', function() {
-      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {}, foo: 'bar' };
+      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['baz'], user: {}, foo: 'bar' };
       const model = {
         getClient: function() { return { grants: ['password'] }; },
         getUser: function() { return {}; },
@@ -357,14 +357,14 @@ describe('TokenHandler integration', function() {
           should.exist(response.body.access_token);
           should.exist(response.body.refresh_token);
           should.exist(response.body.token_type);
-          should.exist(response.body.scope);
+          response.body.scope.should.eql('baz');
           should.not.exist(response.body.foo);
         })
         .catch(should.fail);
     });
 
     it('should return custom attributes in a bearer token if the allowExtendedTokenAttributes is set', function() {
-      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {}, foo: 'bar' };
+      const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['baz'], user: {}, foo: 'bar' };
       const model = {
         getClient: function() { return { grants: ['password'] }; },
         getUser: function() { return {}; },
@@ -392,7 +392,7 @@ describe('TokenHandler integration', function() {
           should.exist(response.body.access_token);
           should.exist(response.body.refresh_token);
           should.exist(response.body.token_type);
-          should.exist(response.body.scope);
+          response.body.scope.should.eql('baz');
           should.exist(response.body.foo);
         })
         .catch(should.fail);

diff --git a/test/unit/handlers/authenticate-handler_test.js b/test/unit/handlers/authenticate-handler_test.js
@@ -166,7 +166,7 @@ describe('AuthenticateHandler', function() {
         getAccessToken: function() {},
         verifyScope: sinon.stub().returns(true)
       };
-      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['bar'] });
+      const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'bar' });
 
       return handler.verifyScope(['foo'])
         .then(function() {