fix: allow empty body without content-type on userinfo

panva · Dec 9, 2019 · d5148ad · d5148ad
1 parent 5a43ca7
commit d5148ad
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 4 deletions.
diff --git a/lib/shared/selective_body.js b/lib/shared/selective_body.js
@@ -8,13 +8,13 @@ const { InvalidRequest } = require('../helpers/errors');
 let warned;
 
 async function selectiveBody(cty, ctx, next) {
-  if (ctx.is(cty)) {
+  if (ctx.request.length && ctx.is(cty)) {
     try {
       let usedFallback;
       const body = await (() => {
         if (ctx.req.readable) {
           return raw(ctx.req, {
-            length: ctx.length,
+            length: ctx.request.length,
             limit: '56kb',
             encoding: ctx.charset,
           });
@@ -47,8 +47,11 @@ is not recommended, resolving to use req.body or request.body instead');
     }
 
     await next();
-  } else {
+  } else if (ctx.request.length) {
     throw new InvalidRequest(`only ${cty} content-type bodies are supported on ${ctx.method} ${ctx.path}`);
+  } else {
+    ctx.oidc.body = {};
+    await next();
   }
 }
 

diff --git a/test/userinfo/bearer.test.js b/test/userinfo/bearer.test.js
@@ -44,5 +44,10 @@ describe('providing Bearer token', () => {
         .send('access_token=')
         .expect(this.failWith(400, 'invalid_request', 'no access token provided'));
     });
+
+    it('empty body w/ auth header', function () {
+      return this.agent.post('/me')
+        .expect(this.failWith(400, 'invalid_request', 'no access token provided'));
+    });
   });
 });
diff --git a/test/userinfo/userinfo.test.js b/test/userinfo/userinfo.test.js
@@ -36,7 +36,7 @@ describe('userinfo /me', () => {
     }).to.throw('jwtUserinfo is only available in conjuction with userinfo');
   });
 
-  it('returns 200 OK and user claims except the rejected ones', function () {
+  it('[get] returns 200 OK and user claims except the rejected ones', function () {
     return this.agent.get('/me')
       .auth(this.access_token, { type: 'bearer' })
       .expect(200)
@@ -46,6 +46,16 @@ describe('userinfo /me', () => {
       });
   });
 
+  it('[post] returns 200 OK and user claims except the rejected ones', function () {
+    return this.agent.post('/me')
+      .auth(this.access_token, { type: 'bearer' })
+      .expect(200)
+      .expect((response) => {
+        expect(response.body).to.have.keys(['sub', 'email']);
+        expect(response.body).not.to.have.keys(['email_verified']);
+      });
+  });
+
   it('populates ctx.oidc.entities', function (done) {
     this.provider.use(this.assertOnce((ctx) => {
       expect(ctx.oidc.entities).to.have.keys('Client', 'AccessToken', 'Account');