feat: allow overloading prototype for comparing client secrets

resolves #631
panva · Jan 20, 2020 · eec36eb · eec36eb
1 parent 2be3eeb
commit eec36eb
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 11 deletions.
diff --git a/lib/models/client.js b/lib/models/client.js
@@ -21,6 +21,7 @@ const request = require('../helpers/request');
 const nanoid = require('../helpers/nanoid');
 const epochTime = require('../helpers/epoch_time');
 const instance = require('../helpers/weak_cache');
+const constantEquals = require('../helpers/constant_equals');
 const { InvalidClient, InvalidClientMetadata } = require('../helpers/errors');
 const getSchema = require('../helpers/client_schema');
 const sectorIdentifier = require('../helpers/sector_identifier');
@@ -513,6 +514,10 @@ module.exports = function getClient(provider) {
         || (this.backchannelLogoutUri && this.backchannelLogoutSessionRequired);
     }
 
+    compareClientSecret(actual) {
+      return constantEquals(this.clientSecret, actual, 1000);
+    }
+
     checkClientSecretExpiration(message, errorOverride) {
       if (!this.clientSecretExpiresAt) {
         return;

diff --git a/lib/shared/token_auth.js b/lib/shared/token_auth.js
@@ -5,7 +5,6 @@ const instance = require('../helpers/weak_cache');
 const { 'x5t#S256': thumbprint } = require('../helpers/calculate_thumbprint');
 
 const rejectDupes = require('./reject_dupes');
-const tokenCredentialAuth = require('./token_credential_auth');
 const getJWTAuthMiddleware = require('./token_jwt_auth');
 
 const assertionType = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
@@ -172,9 +171,11 @@ module.exports = function tokenAuth(provider, endpoint, jwtAuthEndpointIdentifie
           case 'client_secret_basic':
           case 'client_secret_post': {
             ctx.oidc.client.checkClientSecretExpiration('could not authenticate the client - its client secret is expired');
-            const expected = ctx.oidc.client.clientSecret;
             const actual = params.client_secret || clientSecret;
-            tokenCredentialAuth(ctx, actual, expected);
+            const matches = await ctx.oidc.client.compareClientSecret(actual);
+            if (!matches) {
+              throw new InvalidClientAuth('invalid secret provided');
+            }
 
             break;
           }

diff --git a/lib/shared/token_credential_auth.js b/lib/shared/token_credential_auth.js
diff --git a/types/index.d.ts b/types/index.d.ts
@@ -567,6 +567,7 @@ declare class Client {
   requestUriAllowed(requestUri: string): boolean;
   postLogoutRedirectUriAllowed(postLogoutRedirectUri: string): boolean;
   includeSid(): boolean;
+  compareClientSecret(actual: string): CanBePromise<boolean>;
 
   metadata(): ClientMetadata;