Permalink
Browse files

Accept `access_token` in the post body

We were only looking for it in the query parameters, which made it frustrating
for people building POST requests who would have to include their token in the
URL even though the rest of their data was in the POST body. Luckily, Express
has our back with `req.param()`, which does the following:

* Checks route params (req.params), ex: /user/:id
* Checks query string params (req.query), ex: ?id=12
* Checks urlencoded body params (req.body), ex: id=12

Ref: http://expressjs.com/guide.html#req.param()

Fixes Singly/API#113
  • Loading branch information...
1 parent f97a890 commit 4057b10236d79fc8ea62549c29088b28dddd39dd @kristjan kristjan committed Jul 9, 2012
Showing with 3 additions and 3 deletions.
  1. +3 −3 lib/oauth2-provider.js
View
@@ -34,8 +34,8 @@ OAuth2Provider.prototype.login = function() {
return function(req, res, next) {
var data, atok, user_id, client_id, grant_date, extra_data;
- if(req.query['access_token']) {
- atok = req.query['access_token'];
+ if(req.param('access_token')) {
+ atok = req.param('access_token');
} else if((req.headers['authorization'] || '').indexOf('Bearer ') == 0) {
atok = req.headers['authorization'].replace('Bearer', '').trim();
} else {
@@ -76,7 +76,7 @@ OAuth2Provider.prototype.oauth = function() {
// authorization form will be POSTed to same URL, so we'll have all params
var authorize_url = req.url;
-
+
self.emit('enforce_login', req, res, authorize_url, function(user_id) {
// store user_id in an HMAC-protected encrypted query param
authorize_url += '&' + querystring.stringify({x_user_id: self.serializer.stringify(user_id)});

0 comments on commit 4057b10

Please sign in to comment.