Skip to content

fix: validate requested scope on authorize request #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 13, 2018
Merged

fix: validate requested scope on authorize request #451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
23214dc
fix: validate requested scope on authorize request (#3)
razvanz Sep 28, 2017
641599f
code review
razvanz Jan 29, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 27 additions & 4 deletions lib/handlers/authorize-handler.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,11 +97,16 @@ AuthorizeHandler.prototype.handle = function(request, response) {
var ResponseType;

return Promise.bind(this)
.then(function() {
scope = this.getScope(request);
.then(function() {
var requestedScope = this.getScope(request);

return this.generateAuthorizationCode(client, user, scope);
})
return this.validateScope(user, client, requestedScope);
})
.then(function(validScope) {
scope = validScope;

return this.generateAuthorizationCode(client, user, scope);
})
.then(function(authorizationCode) {
state = this.getState(request);
ResponseType = this.getResponseType(request);
Expand Down Expand Up @@ -196,6 +201,24 @@ AuthorizeHandler.prototype.getClient = function(request) {
});
};

/**
* Validate requested scope.
*/
AuthorizeHandler.prototype.validateScope = function(user, client, scope) {
if (this.model.validateScope) {
return promisify(this.model.validateScope, 3).call(this.model, user, client, scope)
.then(function (scope) {
if (!scope) {
throw new InvalidScopeError('Invalid scope: Requested scope is invalid');
}

return scope;
});
} else {
return Promise.resolve(scope);
}
};

/**
* Get scope from the request.
*/
Expand Down
88 changes: 88 additions & 0 deletions test/integration/handlers/authorize-handler_test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,94 @@ describe('AuthorizeHandler integration', function() {
});
});

it('should redirect to a successful response if `model.validateScope` is not defined', function() {
var client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
var model = {
getAccessToken: function() {
return {
client: client,
user: {},
accessTokenExpiresAt: new Date(new Date().getTime() + 10000)
};
},
getClient: function() {
return client;
},
saveAuthorizationCode: function() {
return { authorizationCode: 12345, client: client };
}
};
var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
var request = new Request({
body: {
client_id: 12345,
response_type: 'code'
},
headers: {
'Authorization': 'Bearer foo'
},
method: {},
query: {
scope: 'read',
state: 'foobar'
}
});
var response = new Response({ body: {}, headers: {} });

return handler.handle(request, response)
.then(function(data) {
data.should.eql({
authorizationCode: 12345,
client: client
});
})
.catch(should.fail);
});

it('should redirect to an error response if `scope` is insufficient', function() {
var client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
var model = {
getAccessToken: function() {
return {
client: client,
user: {},
accessTokenExpiresAt: new Date(new Date().getTime() + 10000)
};
},
getClient: function() {
return client;
},
saveAuthorizationCode: function() {
return { authorizationCode: 12345, client: client };
},
validateScope: function() {
return false;
}
};
var handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
var request = new Request({
body: {
client_id: 12345,
response_type: 'code'
},
headers: {
'Authorization': 'Bearer foo'
},
method: {},
query: {
scope: 'read',
state: 'foobar'
}
});
var response = new Response({ body: {}, headers: {} });

return handler.handle(request, response)
.then(should.fail)
.catch(function() {
response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid');
});
});

it('should redirect to an error response if `state` is missing', function() {
var model = {
getAccessToken: function() {
Expand Down