From eec36eb7b160593ac2cf7a5d2b69a00e45542e50 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Mon, 20 Jan 2020 18:47:16 +0100 Subject: [PATCH] feat: allow overloading prototype for comparing client secrets resolves #631 --- lib/models/client.js | 5 +++++ lib/shared/token_auth.js | 7 ++++--- lib/shared/token_credential_auth.js | 8 -------- types/index.d.ts | 1 + 4 files changed, 10 insertions(+), 11 deletions(-) delete mode 100644 lib/shared/token_credential_auth.js diff --git a/lib/models/client.js b/lib/models/client.js index 2f48b6e18..3e54a704c 100644 --- a/lib/models/client.js +++ b/lib/models/client.js @@ -21,6 +21,7 @@ const request = require('../helpers/request'); const nanoid = require('../helpers/nanoid'); const epochTime = require('../helpers/epoch_time'); const instance = require('../helpers/weak_cache'); +const constantEquals = require('../helpers/constant_equals'); const { InvalidClient, InvalidClientMetadata } = require('../helpers/errors'); const getSchema = require('../helpers/client_schema'); const sectorIdentifier = require('../helpers/sector_identifier'); @@ -513,6 +514,10 @@ module.exports = function getClient(provider) { || (this.backchannelLogoutUri && this.backchannelLogoutSessionRequired); } + compareClientSecret(actual) { + return constantEquals(this.clientSecret, actual, 1000); + } + checkClientSecretExpiration(message, errorOverride) { if (!this.clientSecretExpiresAt) { return; diff --git a/lib/shared/token_auth.js b/lib/shared/token_auth.js index 91f223cde..0c8cbc3f7 100644 --- a/lib/shared/token_auth.js +++ b/lib/shared/token_auth.js @@ -5,7 +5,6 @@ const instance = require('../helpers/weak_cache'); const { 'x5t#S256': thumbprint } = require('../helpers/calculate_thumbprint'); const rejectDupes = require('./reject_dupes'); -const tokenCredentialAuth = require('./token_credential_auth'); const getJWTAuthMiddleware = require('./token_jwt_auth'); const assertionType = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'; @@ -172,9 +171,11 @@ module.exports = function tokenAuth(provider, endpoint, jwtAuthEndpointIdentifie case 'client_secret_basic': case 'client_secret_post': { ctx.oidc.client.checkClientSecretExpiration('could not authenticate the client - its client secret is expired'); - const expected = ctx.oidc.client.clientSecret; const actual = params.client_secret || clientSecret; - tokenCredentialAuth(ctx, actual, expected); + const matches = await ctx.oidc.client.compareClientSecret(actual); + if (!matches) { + throw new InvalidClientAuth('invalid secret provided'); + } break; } diff --git a/lib/shared/token_credential_auth.js b/lib/shared/token_credential_auth.js deleted file mode 100644 index 9c220f036..000000000 --- a/lib/shared/token_credential_auth.js +++ /dev/null @@ -1,8 +0,0 @@ -const constantEquals = require('../helpers/constant_equals'); -const { InvalidClientAuth } = require('../helpers/errors'); - -module.exports = function tokenCredentialAuth(ctx, actual, expected) { - if (!constantEquals(expected, actual, 1000)) { - throw new InvalidClientAuth('invalid secret provided'); - } -}; diff --git a/types/index.d.ts b/types/index.d.ts index 932f0e03c..b5e537fff 100644 --- a/types/index.d.ts +++ b/types/index.d.ts @@ -567,6 +567,7 @@ declare class Client { requestUriAllowed(requestUri: string): boolean; postLogoutRedirectUriAllowed(postLogoutRedirectUri: string): boolean; includeSid(): boolean; + compareClientSecret(actual: string): CanBePromise; metadata(): ClientMetadata;