Skip to content

Commit

Permalink
Merge pull request #224 from hapijs/v1cookie
Browse files Browse the repository at this point in the history 
Apply the same html redirection logic to oauth v1. Closes #223
  • Loading branch information
@ldesplat
ldesplat committed May 26, 2016
2 parents 6cf0ac7 + 26907b1 commit 32dad04
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 11 deletions.
26 changes: 16 additions & 10 deletions lib/oauth.js
View file
Expand Up @@ -83,7 +83,7 @@ exports.v1 = function (settings) {

const state = request.state[cookie];
if (!state) {
return reply(Boom.internal('Missing ' + name + ' request token cookie'));
return internals.refreshRedirect(request, name, protocol, settings, reply);
}

reply.unstate(cookie);
Expand Down Expand Up @@ -198,15 +198,7 @@ exports.v2 = function (settings) {

state = request.state[cookie];
if (!state) {
if (request.query.refresh) {
return reply(Boom.internal('Missing ' + name + ' request token cookie'));
}

// Workaround for some browsers where due to CORS and the redirection method,
// it will not send the state cookie along until the request comes directly from the same domain
const newQuery = Object.assign({}, request.url.query, { refresh: 1 });
const refreshUrl = internals.location(request, protocol, settings.location) + '?' + internals.queryString(newQuery);
return reply(`<html><head><meta http-equiv="refresh" content="0;URL="${refreshUrl}"></head><body></body></html>`);
return internals.refreshRedirect(request, name, protocol, settings, reply);
}

reply.unstate(cookie);
Expand Down Expand Up @@ -314,6 +306,20 @@ exports.v2 = function (settings) {
};


internals.refreshRedirect = function (request, name, protocol, settings, reply) {

// Workaround for some browsers where due to CORS and the redirection method, the state
// cookie is not included with the request unless the request comes directly from the same origin.

if (request.query.refresh) {
return reply(Boom.internal('Missing ' + name + ' request token cookie'));
}
const refreshQuery = Object.assign({}, request.url.query, { refresh: 1 });
const refreshUrl = internals.location(request, protocol, settings.location) + '?' + internals.queryString(refreshQuery);
return reply(`<html><head><meta http-equiv="refresh" content="0;URL="${refreshUrl}"></head><body></body></html>`);
};


exports.Client = internals.Client = function (options) {

this.provider = options.name;
Expand Down
39 changes: 38 additions & 1 deletion test/oauth.js
View file
Expand Up @@ -60,7 +60,7 @@ describe('Bell', () => {
});
});

it('errors on missing cookie on token step', (done) => {
it('attempts to perform html redirection on missing cookie on token step', (done) => {

const server = new Hapi.Server();
server.connection({ host: 'localhost', port: 80 });
Expand Down Expand Up @@ -90,6 +90,43 @@ describe('Bell', () => {

server.inject('/login?oauth_token=123&oauth_verifier=123', (res) => {

expect(res.statusCode).to.equal(200);
expect(res.result).to.equal('<html><head><meta http-equiv=\"refresh\" content=\"0;URL=\"http://localhost:80/login?oauth_token=123&oauth_verifier=123&refresh=1\"></head><body></body></html>');
done();
});
});
});

it('errors on missing cookie on token step (with refresh)', (done) => {

const server = new Hapi.Server();
server.connection({ host: 'localhost', port: 80 });
server.register(Bell, (err) => {

expect(err).to.not.exist();

server.auth.strategy('custom', 'bell', {
password: 'cookie_encryption_password_secure',
isSecure: false,
clientId: 'test',
clientSecret: 'secret',
provider: 'twitter'
});

server.route({
method: '*',
path: '/login',
config: {
auth: 'custom',
handler: function (request, reply) {

reply(request.auth.credentials);
}
}
});

server.inject('/login?oauth_token=123&oauth_verifier=123&refresh=1', (res) => {

expect(res.statusCode).to.equal(500);
done();
});
Expand Down

0 comments on commit 32dad04

Please sign in to comment.