Permalink
Browse files

Added an extra test, and checked realHeaders to catch any dodgy custo…

…m ones
  • Loading branch information...
1 parent 8be23c3 commit 301ebab90cde4c36ad1ac0bc7d814003f4e98432 @ciaranj committed Mar 5, 2013
Showing with 16 additions and 5 deletions.
  1. +1 −1 lib/oauth2.js
  2. +15 −4 tests/oauth2.js
View
2 lib/oauth2.js
@@ -75,7 +75,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc
realHeaders['Host']= parsedUrl.host;
realHeaders['Content-Length']= post_body ? Buffer.byteLength(post_body) : 0;
- if( access_token && !('Authorization' in headers)) {
+ if( access_token && !('Authorization' in realHeaders)) {
if( ! parsedUrl.query ) parsedUrl.query= {};
parsedUrl.query[this._accessTokenName]= access_token;
}
View
19 tests/oauth2.js
@@ -17,14 +17,25 @@ vows.describe('OAuth2').addBatch({
assert.equal( refresh_token, "refresh");
});
},
- 'we should not include access token in both querystring and headers': function (oa) {
+ 'we should not include access token in both querystring and headers (favours headers if specified)': function (oa) {
oa._request = new OAuth2("clientId", "clientSecret")._request.bind(oa);
oa._executeRequest= function( http_library, options, post_body, callback) {
callback(null, url.parse(options.path, true).query, options.headers);
};
- oa.get("/userinfo", 'access', function(error, query, headers) {
- assert.ok( !('access_token' in query), "access_token not in query");
- assert.ok( 'Authorization' in headers, "Authorization in headers");
+
+ oa._request("GET", "http://foo/", {"Authorization":"Bearer BadNews"}, null, "accessx", function(error, query, headers) {
+ assert.ok( !('access_token' in query), "access_token also in query");
+ assert.ok( 'Authorization' in headers, "Authorization not in headers");
+ });
+ },
+ 'we should include access token in the querystring if no Authorization header present to override it': function (oa) {
+ oa._request = new OAuth2("clientId", "clientSecret")._request.bind(oa);
+ oa._executeRequest= function( http_library, options, post_body, callback) {
+ callback(null, url.parse(options.path, true).query, options.headers);
+ };
+ oa._request("GET", "http://foo/", {}, null, "access", function(error, query, headers) {
+ assert.ok( 'access_token' in query, "access_token not present in query");
+ assert.ok( !('Authorization' in headers), "Authorization in headers");
});
},
'we should correctly extract the token if received as a JSON literal': function (oa) {

0 comments on commit 301ebab

Please sign in to comment.