fix: check that session account is a string

closes #660 closes #655
panva · Feb 27, 2020 · e1eb211 · e1eb211
1 parent add15a5
commit e1eb211
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 8 deletions.
diff --git a/lib/shared/session.js b/lib/shared/session.js
@@ -4,15 +4,23 @@ const ssHandler = require('../helpers/samesite_handler');
 module.exports = async function sessionHandler(ctx, next) {
   ctx.oidc.session = new Proxy(await ctx.oidc.provider.Session.get(ctx), {
     set(obj, prop, value) {
-      if (prop === 'touched') {
-        Reflect.defineProperty(obj, 'touched', { writable: true, value });
-      } else if (prop === 'destroyed') {
-        Reflect.defineProperty(obj, 'destroyed', { configurable: false, writable: true, value });
-        Reflect.defineProperty(obj, 'touched', { configurable: false, writable: false, value: false });
-      } else {
-        Reflect.set(obj, prop, value);
-        Reflect.defineProperty(obj, 'touched', { writable: true, value: true });
+      switch (prop) {
+        case 'touched':
+          Reflect.defineProperty(obj, 'touched', { writable: true, value });
+          break;
+        case 'destroyed':
+          Reflect.defineProperty(obj, 'destroyed', { configurable: false, writable: true, value });
+          Reflect.defineProperty(obj, 'touched', { configurable: false, writable: false, value: false });
+          break;
+        case 'account':
+          if (typeof value !== 'string' || !value) {
+            throw new TypeError(`account must be a non-empty string, got: ${typeof value}`);
+          }
+        default: // eslint-disable-line no-fallthrough
+          Reflect.set(obj, prop, value);
+          Reflect.defineProperty(obj, 'touched', { writable: true, value: true });
       }
+
       return true;
     },
   });

diff --git a/test/interaction/interaction.test.js b/test/interaction/interaction.test.js
@@ -183,6 +183,7 @@ describe('devInteractions', () => {
         response_type: 'code',
         scope: 'openid',
       });
+      this.auth = auth;
 
       return this.agent.get('/auth')
         .query(auth)
@@ -209,6 +210,35 @@ describe('devInteractions', () => {
         .expect(302);
     });
 
+    it('checks that the account is a non empty string', async function () {
+      let location;
+      const spy = sinon.spy();
+      this.provider.once('server_error', spy);
+
+      await this.agent.post(`${this.url}`)
+        .send({
+          prompt: 'login',
+          login: '',
+        })
+        .type('form')
+        .expect(302)
+        .expect('location', new RegExp(this.url.replace('interaction', 'auth')))
+        .expect(({ headers }) => {
+          ({ location } = headers);
+        });
+
+      await this.agent.get(new URL(location).pathname)
+        .expect(302)
+        .expect(this.auth.validateState)
+        .expect(this.auth.validateClientLocation)
+        .expect(this.auth.validateError('server_error'));
+
+      expect(spy).to.have.property('calledOnce', true);
+      const error = spy.firstCall.args[1];
+      expect(error).to.be.an.instanceof(TypeError);
+      expect(error).to.have.property('message', 'account must be a non-empty string, got: string');
+    });
+
     handlesInteractionSessionErrors();
   });