Permalink
Browse files

hotfix(oauth2) safely parse body even when empty (#1915)

  • Loading branch information...
1 parent 692caa9 commit 49a2da5d9d4e1603353e76bf9516243155ef7d2c @thefosk thefosk committed on GitHub Dec 21, 2016
Showing with 16 additions and 3 deletions.
  1. +4 −3 kong/plugins/oauth2/access.lua
  2. +12 −0 spec/03-plugins/99-oauth2/03-access_spec.lua
@@ -1,5 +1,5 @@
local url = require "socket.url"
-local json = require "cjson"
+local cjson = require "cjson.safe"
local utils = require "kong.tools.utils"
local cache = require "kong.tools.database_cache"
local pl_stringx = require "pl.stringx"
@@ -89,12 +89,13 @@ end
local function retrieve_parameters()
ngx.req.read_body()
-- OAuth2 parameters could be in both the querystring or body
- local body_parameters
+ local body_parameters, err
local content_type = req_get_headers()[CONTENT_TYPE]
if content_type and string_find(content_type:lower(), "multipart/form-data", nil, true) then
body_parameters = Multipart(ngx.req.get_body_data(), content_type):get_all()
elseif content_type and string_find(content_type:lower(), "application/json", nil, true) then
- body_parameters = json.decode(ngx.req.get_body_data())
+ body_parameters, err = cjson.decode(ngx.req.get_body_data())
+ if err then body_parameters = {} end
else
body_parameters = ngx.req.get_post_args()
end
@@ -1456,6 +1456,18 @@ describe("#ci Plugin: oauth2 (access)", function()
end)
describe("Making a request", function()
+ it("fails when no access_token is being sent in an application/json body", function()
+ local res = assert(proxy_ssl_client:send {
+ method = "POST",
+ path = "/request",
+ headers = {
+ ["Host"] = "oauth2.com",
+ ["Content-Type"] = "application/json"
+ }
+ })
+ local body = assert.res_status(401, res)
+ assert.equal([[{"error_description":"The access token is missing","error":"invalid_request"}]], body)
+ end)
it("works when a correct access_token is being sent in the querystring", function()
local token = provision_token()

0 comments on commit 49a2da5

Please sign in to comment.