Skip to content

Commit

Permalink
fix: do not assign the defaulted to response_mode to params
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Jul 26, 2019
1 parent 5ff5660 commit 18867ad
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 9 deletions.
17 changes: 10 additions & 7 deletions lib/actions/authorization/check_response_mode.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
const { InvalidRequest, UnsupportedResponseMode } = require('../../helpers/errors');
const instance = require('../../helpers/weak_cache');
const { isImplicit } = require('../../helpers/resolve_response_mode');
const { isFrontChannel } = require('../../helpers/resolve_response_mode');

/*
* Resolves and assigns params.response_mode if it was not explicitly requested. Validates id_token
Expand All @@ -11,17 +11,20 @@ const { isImplicit } = require('../../helpers/resolve_response_mode');
module.exports = function checkResponseMode(ctx, next) {
const { params, client } = ctx.oidc;

const implicitOrHybrid = isImplicit(params.response_type);
const frontChannel = isFrontChannel(params.response_type);

if (params.response_mode === undefined) {
params.response_mode = implicitOrHybrid ? 'fragment' : 'query';
} else if (params.response_mode === 'query' && implicitOrHybrid) {
const mode = ctx.oidc.responseMode;

if (mode === 'query' && frontChannel) {
throw new InvalidRequest('response_mode not allowed for this response_type');
} else if (params.response_mode === 'query.jwt' && implicitOrHybrid && !client.authorizationEncryptedResponseAlg) {
} else if (mode === 'query.jwt' && frontChannel && !client.authorizationEncryptedResponseAlg) {
throw new InvalidRequest('response_mode not allowed for this response_type unless encrypted');
}

if (!instance(ctx.oidc.provider).responseModes.has(params.response_mode)) {
if (
mode !== undefined
&& !instance(ctx.oidc.provider).responseModes.has(mode)
) {
params.response_mode = undefined;
throw new UnsupportedResponseMode();
}
Expand Down
2 changes: 1 addition & 1 deletion lib/actions/authorization/respond.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,6 @@ module.exports = async function respond(ctx, next) {
ctx.oidc.provider.emit('authorization.success', ctx, out);
debug('uid=%s %o', ctx.oidc.uid, out);

const handler = instance(ctx.oidc.provider).responseModes.get(params.response_mode);
const handler = instance(ctx.oidc.provider).responseModes.get(ctx.oidc.responseMode);
await handler(ctx, params.redirect_uri, out);
};
13 changes: 13 additions & 0 deletions lib/helpers/oidc_context.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ const ctxRef = require('../models/ctx_ref');
const nanoid = require('./nanoid');
const { InvalidRequest } = require('./errors');
const instance = require('./weak_cache');
const resolveResponseMode = require('./resolve_response_mode');

module.exports = function getContext(provider) {
const { clockTolerance, features: { dPoP: dPoPConfig } } = instance(provider).configuration();
Expand Down Expand Up @@ -215,6 +216,18 @@ module.exports = function getContext(provider) {
return claims;
}

get responseMode() {
if (typeof this.params.response_mode === 'string') {
return this.params.response_mode;
}

if (this.params.response_type !== undefined) {
return resolveResponseMode(this.params.response_type);
}

return undefined;
}

get acr() {
return this.session.acr;
}
Expand Down
2 changes: 1 addition & 1 deletion lib/helpers/resolve_response_mode.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ function resolve(responseType) {
}

module.exports = resolve;
module.exports.isImplicit = responseType => (resolve(responseType) === 'fragment');
module.exports.isFrontChannel = responseType => (resolve(responseType) === 'fragment');

0 comments on commit 18867ad

Please sign in to comment.