From 3adbe7fa8458f953f3c8c3e27d9729cc43af508d Mon Sep 17 00:00:00 2001 From: Chris Henney Date: Fri, 19 Jun 2015 01:00:09 -0500 Subject: [PATCH 1/5] fix usage of clientSecret --- lib/oauth.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/oauth.js b/lib/oauth.js index 3de54a14..a715838a 100755 --- a/lib/oauth.js +++ b/lib/oauth.js @@ -196,7 +196,7 @@ exports.v2 = function (settings) { if (settings.provider.useParamsAuth) { query.client_id = settings.clientId; - query.client_secret = settings.client_secret; + query.client_secret = settings.clientSecret; } var requestOptions = { From 476ea7ba7a5b2b8e52a78a1169200686b140ad23 Mon Sep 17 00:00:00 2001 From: Chris Henney Date: Fri, 19 Jun 2015 01:02:20 -0500 Subject: [PATCH 2/5] Add test that passes if the client secret is not modified during auth verification --- test/mock.js | 5 +++++ test/oauth.js | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/test/mock.js b/test/mock.js index 6a10da9b..4d70f264 100755 --- a/test/mock.js +++ b/test/mock.js @@ -20,6 +20,7 @@ var internals = {}; var lab = exports.lab = Lab.script(); var expect = Code.expect; +exports.SECRET_TESTER = internals.SECRET_TESTER = 'secretTester'; exports.V1 = internals.V1 = function (fail) { @@ -222,6 +223,10 @@ exports.V2 = internals.V2 = function (useParamsAuth) { payload.email = 'steve@example.com'; } + if (code.client_id === internals.SECRET_TESTER) { + expect(internals.SECRET_TESTER).to.equal(request.payload.client_secret); + } + reply(payload); } } diff --git a/test/oauth.js b/test/oauth.js index de06c250..679e9c36 100755 --- a/test/oauth.js +++ b/test/oauth.js @@ -1090,7 +1090,51 @@ describe('Bell', function () { config: { auth: 'custom', handler: function (request, reply) { + reply(request.auth.credentials); + } + } + }); + + server.inject('/login', function (res) { + var cookie = res.headers['set-cookie'][0].split(';')[0] + ';'; + + mock.server.inject(res.headers.location, function (res) { + server.inject({ url: res.headers.location, headers: { cookie: cookie } }, function (res) { + expect(res.statusCode).to.equal(500); + Mock.clear(); + mock.stop(done); + }); + }); + }); + }); + }); + }); + + it('passes if the client secret is not modified in route', { parallel: false }, function (done) { + + var mock = new Mock.V2(); + mock.start(function (provider) { + + var server = new Hapi.Server(); + server.connection({ host: 'localhost', port: 80 }); + server.register(Bell, function (err) { + + expect(err).to.not.exist(); + + server.auth.strategy('custom', 'bell', { + password: 'password', + isSecure: false, + clientId: Mock.SECRET_TESTER, + clientSecret: Mock.SECRET_TESTER, + provider: provider + }); + server.route({ + method: '*', + path: '/login', + config: { + auth: 'custom', + handler: function (request, reply) { reply(request.auth.credentials); } } @@ -1104,8 +1148,7 @@ describe('Bell', function () { server.inject({ url: res.headers.location, headers: { cookie: cookie } }, function (res) { - expect(res.statusCode).to.equal(500); - Mock.clear(); + expect(res.statusCode).to.equal(200); mock.stop(done); }); }); From 76c869c7085ccba8665264c8b786204aa400b067 Mon Sep 17 00:00:00 2001 From: Chris Henney Date: Fri, 19 Jun 2015 01:29:25 -0500 Subject: [PATCH 3/5] Add blank lines at the beginning of functions. --- test/oauth.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/oauth.js b/test/oauth.js index 679e9c36..f144f756 100755 --- a/test/oauth.js +++ b/test/oauth.js @@ -1090,6 +1090,7 @@ describe('Bell', function () { config: { auth: 'custom', handler: function (request, reply) { + reply(request.auth.credentials); } } @@ -1099,7 +1100,9 @@ describe('Bell', function () { var cookie = res.headers['set-cookie'][0].split(';')[0] + ';'; mock.server.inject(res.headers.location, function (res) { + server.inject({ url: res.headers.location, headers: { cookie: cookie } }, function (res) { + expect(res.statusCode).to.equal(500); Mock.clear(); mock.stop(done); @@ -1135,6 +1138,7 @@ describe('Bell', function () { config: { auth: 'custom', handler: function (request, reply) { + reply(request.auth.credentials); } } From 02dd7fa335dddf7c8e4d43133ae254aab56d1e00 Mon Sep 17 00:00:00 2001 From: Chris Henney Date: Fri, 19 Jun 2015 01:38:31 -0500 Subject: [PATCH 4/5] Fixed another missing blank line at beginning of a function --- test/oauth.js | 1 + 1 file changed, 1 insertion(+) diff --git a/test/oauth.js b/test/oauth.js index f144f756..25c46ce1 100755 --- a/test/oauth.js +++ b/test/oauth.js @@ -1097,6 +1097,7 @@ describe('Bell', function () { }); server.inject('/login', function (res) { + var cookie = res.headers['set-cookie'][0].split(';')[0] + ';'; mock.server.inject(res.headers.location, function (res) { From 2af0c71cf09e8911b6ed06d049ce35bd1af37e29 Mon Sep 17 00:00:00 2001 From: Chris Henney Date: Mon, 22 Jun 2015 09:57:53 -0500 Subject: [PATCH 5/5] Separate the variable names used for client secret and client id testing. --- test/mock.js | 7 ++++--- test/oauth.js | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/test/mock.js b/test/mock.js index 4d70f264..b3f8eba3 100755 --- a/test/mock.js +++ b/test/mock.js @@ -20,7 +20,8 @@ var internals = {}; var lab = exports.lab = Lab.script(); var expect = Code.expect; -exports.SECRET_TESTER = internals.SECRET_TESTER = 'secretTester'; +exports.CLIENT_ID_TESTER = internals.CLIENT_ID_TESTER = 'clientIdTester'; +exports.CLIENT_SECRET_TESTER = internals.CLIENT_SECRET_TESTER = 'clientSecretTester'; exports.V1 = internals.V1 = function (fail) { @@ -223,8 +224,8 @@ exports.V2 = internals.V2 = function (useParamsAuth) { payload.email = 'steve@example.com'; } - if (code.client_id === internals.SECRET_TESTER) { - expect(internals.SECRET_TESTER).to.equal(request.payload.client_secret); + if (code.client_id === internals.CLIENT_ID_TESTER) { + expect(internals.CLIENT_SECRET_TESTER).to.equal(request.payload.client_secret); } reply(payload); diff --git a/test/oauth.js b/test/oauth.js index 25c46ce1..1c9a5102 100755 --- a/test/oauth.js +++ b/test/oauth.js @@ -1128,8 +1128,8 @@ describe('Bell', function () { server.auth.strategy('custom', 'bell', { password: 'password', isSecure: false, - clientId: Mock.SECRET_TESTER, - clientSecret: Mock.SECRET_TESTER, + clientId: Mock.CLIENT_ID_TESTER, + clientSecret: Mock.CLIENT_SECRET_TESTER, provider: provider });