From 93cd606a7d8a3bf880928920ba4c356e6dd1a6a5 Mon Sep 17 00:00:00 2001 From: gits2501 Date: Wed, 9 May 2018 16:34:43 +0200 Subject: [PATCH 1/2] Fixed bug in parsing session data from url, now code is aware of 2 alphanum char after % sign as percent encoded char [ci skip] --- .travis.yml | 2 -- package.json | 2 +- src/AccessToken.js | 4 ++-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index f753f9e..686f216 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,8 +4,6 @@ node_js: - '9.11.1' git: depth: 3 -before_install: - - 'sudo apt-get update && sudo apt-get install linux-image-generic ' after_success: 'npm run coveralls' cache: directiories: diff --git a/package.json b/package.json index d9faa94..2a4dfcf 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "lint": "eslint src/AccessToken.js", "instrument": "istanbul instrument src/AccessToken.js --output src/AccessToken_instrumented.js", "browserify": "./node_modules/browserify/bin/cmd.js test/accesstoken.js --exclude btoa -o test/accesstoken_bundle.js", - "mocha-headless": "mocha-headless-chrome -f mocha-test.html -c test/coverage.json", + "mocha-headless": "mocha-headless-chrome -a no-sandbox -f mocha-test.html -c test/coverage.json", "report": "istanbul report --root test/ lcov", "coveralls": "cat ./coverage/lcov.info | ./node_modules/coveralls/bin/coveralls.js && rm -rf ./coverage", "test": "npm run instrument && npm run browserify && npm run mocha-headless && npm run report" diff --git a/src/AccessToken.js b/src/AccessToken.js index 1735207..ac63753 100644 --- a/src/AccessToken.js +++ b/src/AccessToken.js @@ -75,7 +75,7 @@ var deliverData = require('twiz-client-redirect').prototype.deliverData; if(str[0] === "?") str = str.substring(1); // remove "?" if we have one at beggining arr = str.split('&') // make new array element on each "&" - .map( function(el, i){ + .map( function(el){ var arr2 = el.split("="); // for each element make new array element on each "=" return arr2; @@ -128,7 +128,7 @@ var deliverData = require('twiz-client-redirect').prototype.deliverData; - AccessToken.prototype.loadRequestToken = function(storage, sent){ + AccessToken.prototype.loadRequestToken = function(storage){ if(!storage.hasOwnProperty('requestToken_')) throw this.CustomError('requestTokenNotSaved'); From 0a49c1ba35365ac830a527aa2527fc8819bbc29f Mon Sep 17 00:00:00 2001 From: gits2501 Date: Thu, 21 Jun 2018 17:13:55 +0200 Subject: [PATCH 2/2] Added one more test case --- src/AccessToken.js | 29 +++++++++++++++++++---------- test/accesstoken.js | 27 +++++++++++++++++++-------- 2 files changed, 38 insertions(+), 18 deletions(-) diff --git a/src/AccessToken.js b/src/AccessToken.js index ac63753..44f2644 100644 --- a/src/AccessToken.js +++ b/src/AccessToken.js @@ -22,7 +22,8 @@ var deliverData = require('twiz-client-redirect').prototype.deliverData; requestTokenNotSaved: 'Request token was not saved. Check that page url from which you make request match your redirection_url.', noRepeat: "Cannot make another request with same redirection(callback) url", urlNotFound: "Current window location (url) not found", - noSessionData: 'Unable to find session data in current url' + noSessionData: 'Unable to find session data in current url', + spaWarning: 'Authorization data not found in url' }) } @@ -30,15 +31,17 @@ var deliverData = require('twiz-client-redirect').prototype.deliverData; AccessToken.prototype.setAuthorizedTokens = function(){ - this.authorizeRedirectionUrl(), - // set params for access token leg explicitly - this.oauth[this.prefix + 'verifier'] = this.authorized.oauth_verifier // Put authorized verifier - this.oauth[this.prefix + 'token'] = this.authorized.oauth_token; // Authorized token + this.parseRedirectionUrl(this.winLoc); // parse url + /* istanbul ignore else */ + if(this.isAuthorizationDataInURL()){ + this.authorize(this.redirectionData); // authorize token + // set params for access token leg explicitly + this.oauth[this.prefix + 'verifier'] = this.authorized.oauth_verifier // Put authorized verifier + this.oauth[this.prefix + 'token'] = this.authorized.oauth_token; // Authorized token + } } AccessToken.prototype.authorizeRedirectionUrl = function(){// makes sure we have needed data in redirection url - this.parseRedirectionUrl(this.winLoc); // parse url - return this.authorize(this.redirectionData); // authorize token } @@ -101,10 +104,16 @@ var deliverData = require('twiz-client-redirect').prototype.deliverData; return data; } - + // + AccessToken.prototype.isAuthorizationDataInURL = function(){ // check that we have valid twitter redirection url + if(!this.redirectionData.oauth_token && !this.redirectionData.oauth_verifier){ // not a redirection url + throw this.CustomError('spaWarning'); + } + else return true + } AccessToken.prototype.authorize = function(sent){ // check that sent data from redirection url has needed info - // console.log('in authorize'); + //console.log('in authorize'); if(this.isRequestTokenUsed(window.localStorage)) throw this.CustomError('noRepeat'); @@ -141,7 +150,7 @@ var deliverData = require('twiz-client-redirect').prototype.deliverData; // used/erased with null // console.log('after erasing storage.requestToken :', storage.requestToken_); // console.log('loadedRequestToken',this.loadedRequestToken); - if (!this.loadedRequestToken) throw this.CustomError('requestTokenNotSet'); + if(!this.loadedRequestToken) throw this.CustomError('requestTokenNotSet'); } AccessToken.prototype.getSessionData = function(){ // gets session data from redirection url diff --git a/test/accesstoken.js b/test/accesstoken.js index 6ed56e9..a790038 100644 --- a/test/accesstoken.js +++ b/test/accesstoken.js @@ -23,7 +23,7 @@ describe('Access Token', function(){ // token leg). Remove 'oauth_token=' - it('ready ', function(){ + it('ready ', function(){ at.winLoc += query; // mock curent location with tokens from twitter assert.doesNotThrow(at.setAuthorizedTokens.bind(at)); }) @@ -95,19 +95,21 @@ describe('Access Token', function(){ delete window.localStorage.requestToken_ ; // make like token was not saved assert.throws(at.setAuthorizedTokens.bind(at), errorValidation.bind(null, 'requestTokenNotSaved')); }) + + it('token missmatch - throw error', function(){ // Check that received request_token + // is same as the one that is sent + at.winLoc = pageUrl + session_data + request_token + verifier; // Set current location (url) + window.localStorage.requestToken_ = 'NotSameAsTheOneReceived'; // Make saved request_token different + assert.throws(at.setAuthorizedTokens.bind(at), errorValidation.bind(null, 'tokenMissmatch')); + }) - - it('request token not set', function(){ // property is there but has no value + it('request token not set', function(){ // property is there but has no value at.winLoc = session_data + request_token + verifier; // set current location (url) window.localStorage.requestToken_ = ''; // make token fresh assert.throws(at.setAuthorizedTokens.bind(at), errorValidation.bind(null, 'requestTokenNotSet')); }) - it('request token not set', function(){ // property is there but has no value - at.winLoc = pageUrl + session_data + request_token + verifier; // set current location (url) - window.localStorage.requestToken_ = ''; // make token fresh - assert.throws(at.setAuthorizedTokens.bind(at), errorValidation.bind(null, 'requestTokenNotSet')); - }) + describe('session data', function(){ @@ -121,6 +123,15 @@ describe('Access Token', function(){ }) + describe('spa apps warning', function(){ + + it('Authorization data not found in url - throw error', function(){ + at.winLoc = 'https://myApp.com/noQueryString'; // simulate no authorization data (request token + // and verifier) + assert.throws(at.setAuthorizedTokens.bind(at), errorValidation.bind(null, 'spaWarning')); + }) + + }) })