fix: html-rendered response modes now honour 400 and 500 status codes

panva · Apr 7, 2019 · 9771581 · 9771581
1 parent 26fadc8
commit 9771581
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 6 deletions.
diff --git a/lib/response_modes/form_post.js b/lib/response_modes/form_post.js
@@ -1,8 +1,13 @@
 const htmlEscape = require('../helpers/html_escape');
 
+const statusCodes = new Set([200, 400, 500]);
+
 module.exports = function formPost(ctx, action, inputs) {
   ctx.type = 'html';
-  ctx.status = 200;
+
+  if (!statusCodes.has(ctx.status)) {
+    ctx.status = 'error' in inputs ? 400 : 200;
+  }
 
   const formInputs = Object.entries(inputs)
     .map(([key, value]) => `<input type="hidden" name="${key}" value="${htmlEscape(value)}"/>`)

diff --git a/lib/response_modes/jwt.js b/lib/response_modes/jwt.js
@@ -11,6 +11,8 @@ const modes = {
   web_message,
 };
 
+const RENDER_MODES = new Set(['form_post', 'web_message']);
+
 module.exports = async function jwtResponseModes(ctx, redirectUri, payload) {
   const { params, entities: { AccessToken } } = ctx.oidc;
 
@@ -35,5 +37,11 @@ module.exports = async function jwtResponseModes(ctx, redirectUri, payload) {
 
   const response = await token.sign({ use: 'authorization' });
 
+  if (RENDER_MODES.has(mode)) {
+    if ('error' in payload && payload.error !== 'server_error') {
+      ctx.status = 400;
+    }
+  }
+
   return modes[mode](ctx, redirectUri, { response });
 };
diff --git a/lib/response_modes/web_message.js b/lib/response_modes/web_message.js
@@ -1,8 +1,13 @@
 const jsesc = require('jsesc');
 
+const statusCodes = new Set([200, 400, 500]);
+
 module.exports = function webMessage(ctx, redirectUri, response) {
   ctx.type = 'html';
-  ctx.status = 200;
+
+  if (!statusCodes.has(ctx.status)) {
+    ctx.status = 'error' in response ? 400 : 200;
+  }
 
   ctx.response.remove('X-Frame-Options');
   const csp = ctx.response.get('Content-Security-Policy');

diff --git a/test/form_post/form_post.test.js b/test/form_post/form_post.test.js
@@ -42,7 +42,7 @@ describe('/auth', () => {
           this.provider.once('authorization.error', spy);
 
           return this.wrap({ route, verb, auth })
-            .expect(200)
+            .expect(400)
             .expect(() => {
               expect(spy.called).to.be.true;
             })
@@ -72,7 +72,7 @@ describe('/auth', () => {
             this.provider.once('server_error', spy);
 
             return this.wrap({ route, verb, auth })
-              .expect(200)
+              .expect(500)
               .expect(() => {
                 expect(spy.called).to.be.true;
               })

diff --git a/test/jwt_response_modes/jwt_response_modes.test.js b/test/jwt_response_modes/jwt_response_modes.test.js
@@ -180,4 +180,59 @@ describe('configuration features.jwtResponseModes', () => {
         });
     });
   });
+
+  Object.entries({
+    'query.jwt': [302, 302],
+    'fragment.jwt': [302, 302],
+    'form_post.jwt': [400, 500],
+    'web_message.jwt': [400, 500],
+  }).forEach(([mode, [errStatus, exceptionStatus]]) => {
+    context(`${mode} err handling`, () => {
+      it(`responds with a ${errStatus}`, function () {
+        const auth = new this.AuthorizationRequest({
+          response_type: 'code',
+          prompt: 'none',
+          response_mode: mode,
+          scope: 'openid',
+        });
+
+        const spy = sinon.spy();
+        this.provider.once('authorization.error', spy);
+
+        return this.wrap({ route, verb: 'get', auth })
+          .expect(errStatus)
+          .expect(() => {
+            expect(spy.called).to.be.true;
+          });
+      });
+
+      context('[exception]', () => {
+        before(async function () {
+          sinon.stub(this.provider.Session.prototype, 'accountId').throws();
+        });
+
+        after(async function () {
+          this.provider.Session.prototype.accountId.restore();
+        });
+
+        it(`responds with a ${exceptionStatus}`, function () {
+          const auth = new this.AuthorizationRequest({
+            response_type: 'code',
+            prompt: 'none',
+            response_mode: mode,
+            scope: 'openid',
+          });
+
+          const spy = sinon.spy();
+          this.provider.once('server_error', spy);
+
+          return this.wrap({ route, verb: 'get', auth })
+            .expect(exceptionStatus)
+            .expect(() => {
+              expect(spy.called).to.be.true;
+            });
+        });
+      });
+    });
+  });
 });
diff --git a/test/web_message/web_message.test.js b/test/web_message/web_message.test.js
@@ -209,7 +209,7 @@ describe('configuration features.webMessageResponseMode', () => {
         this.provider.once('authorization.error', spy);
 
         await this.wrap({ route, auth, verb: 'get' })
-          .expect(200)
+          .expect(400)
           .expect('pragma', 'no-cache')
           .expect('cache-control', 'no-cache, no-store')
           .expect('content-type', 'text/html; charset=utf-8')
@@ -248,7 +248,7 @@ describe('configuration features.webMessageResponseMode', () => {
           this.provider.once('server_error', spy);
 
           await this.wrap({ route, auth, verb: 'get' })
-            .expect(200)
+            .expect(500)
             .expect('pragma', 'no-cache')
             .expect('cache-control', 'no-cache, no-store')
             .expect('content-type', 'text/html; charset=utf-8')