exchanges: add scope type validation

jaredhanson · Aug 9, 2017 · abc35a2 · abc35a2
1 parent 0516025
commit abc35a2
Show file tree

Hide file tree

Showing 6 changed files with 353 additions and 253 deletions.
diff --git a/lib/exchange/clientCredentials.js b/lib/exchange/clientCredentials.js
@@ -60,7 +60,7 @@ module.exports = function(options, issue) {
     options = undefined;
   }
   options = options || {};
-  
+
   if (!issue) { throw new TypeError('oauth2orize.clientCredentials exchange requires an issue callback'); }
 
   var userProperty = options.userProperty || 'user';
@@ -77,13 +77,17 @@ module.exports = function(options, issue) {
 
   return function client_credentials(req, res, next) {
     if (!req.body) { return next(new Error('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?')); }
-    
+
     // The 'user' property of `req` holds the authenticated user.  In the case
     // of the token endpoint, the property will contain the OAuth 2.0 client.
     var client = req[userProperty]
       , scope = req.body.scope;
-    
+
     if (scope) {
+      if (typeof scope !== 'string') {
+        return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_scope'));
+      }
+
       for (var i = 0, len = separators.length; i < len; i++) {
         var separated = scope.split(separators[i]);
         // only separate on the first matching separator.  this allows for a sort
@@ -95,7 +99,7 @@ module.exports = function(options, issue) {
       }
       if (!Array.isArray(scope)) { scope = [ scope ]; }
     }
-    
+
     function issued(err, accessToken, refreshToken, params) {
       if (err) { return next(err); }
       if (!accessToken) { return next(new TokenError('Invalid client credentials', 'invalid_grant')); }
@@ -109,14 +113,14 @@ module.exports = function(options, issue) {
       if (refreshToken) { tok.refresh_token = refreshToken; }
       if (params) { utils.merge(tok, params); }
       tok.token_type = tok.token_type || 'Bearer';
-      
+
       var json = JSON.stringify(tok);
       res.setHeader('Content-Type', 'application/json');
       res.setHeader('Cache-Control', 'no-store');
       res.setHeader('Pragma', 'no-cache');
       res.end(json);
     }
-    
+
     try {
       var arity = issue.length;
       if (arity == 5) {

diff --git a/lib/exchange/password.js b/lib/exchange/password.js
@@ -78,18 +78,22 @@ module.exports = function(options, issue) {
 
   return function password(req, res, next) {
     if (!req.body) { return next(new Error('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?')); }
-    
+
     // The 'user' property of `req` holds the authenticated user.  In the case
     // of the token endpoint, the property will contain the OAuth 2.0 client.
     var client = req[userProperty]
       , username = req.body.username
       , passwd = req.body.password
       , scope = req.body.scope;
-      
+
     if (!username) { return next(new TokenError('Missing required parameter: username', 'invalid_request')); }
     if (!passwd) { return next(new TokenError('Missing required parameter: password', 'invalid_request')); }
-    
+
     if (scope) {
+      if (typeof scope !== 'string') {
+        return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_scope'));
+      }
+
       for (var i = 0, len = separators.length; i < len; i++) {
         var separated = scope.split(separators[i]);
         // only separate on the first matching separator.  this allows for a sort
@@ -101,21 +105,21 @@ module.exports = function(options, issue) {
       }
       if (!Array.isArray(scope)) { scope = [ scope ]; }
     }
-    
+
     function issued(err, accessToken, refreshToken, params) {
       if (err) { return next(err); }
       if (!accessToken) { return next(new TokenError('Invalid resource owner credentials', 'invalid_grant')); }
       if (refreshToken && typeof refreshToken == 'object') {
         params = refreshToken;
         refreshToken = null;
       }
-      
+
       var tok = {};
       tok.access_token = accessToken;
       if (refreshToken) { tok.refresh_token = refreshToken; }
       if (params) { utils.merge(tok, params); }
       tok.token_type = tok.token_type || 'Bearer';
-      
+
       var json = JSON.stringify(tok);
       res.setHeader('Content-Type', 'application/json');
       res.setHeader('Cache-Control', 'no-store');

diff --git a/lib/exchange/refreshToken.js b/lib/exchange/refreshToken.js
@@ -58,9 +58,9 @@ module.exports = function(options, issue) {
     options = undefined;
   }
   options = options || {};
-  
+
   if (!issue) { throw new TypeError('oauth2orize.refreshToken exchange requires an issue callback'); }
-  
+
   var userProperty = options.userProperty || 'user';
 
   // For maximum flexibility, multiple scope spearators can optionally be
@@ -75,16 +75,20 @@ module.exports = function(options, issue) {
 
   return function refresh_token(req, res, next) {
     if (!req.body) { return next(new Error('OAuth2orize requires body parsing. Did you forget app.use(express.bodyParser())?')); }
-    
+
     // The 'user' property of `req` holds the authenticated user.  In the case
     // of the token endpoint, the property will contain the OAuth 2.0 client.
     var client = req[userProperty]
       , refreshToken = req.body.refresh_token
       , scope = req.body.scope;
-      
+
     if (!refreshToken) { return next(new TokenError('Missing required parameter: refresh_token', 'invalid_request')); }
-    
+
     if (scope) {
+      if (typeof scope !== 'string') {
+        return next(new TokenError('Invalid parameter: scope must be a string', 'invalid_scope'));
+      }
+
       for (var i = 0, len = separators.length; i < len; i++) {
         var separated = scope.split(separators[i]);
         // only separate on the first matching separator.  this allows for a sort
@@ -96,28 +100,28 @@ module.exports = function(options, issue) {
       }
       if (!Array.isArray(scope)) { scope = [ scope ]; }
     }
-    
+
     function issued(err, accessToken, refreshToken, params) {
       if (err) { return next(err); }
       if (!accessToken) { return next(new TokenError('Invalid refresh token', 'invalid_grant')); }
       if (refreshToken && typeof refreshToken == 'object') {
         params = refreshToken;
         refreshToken = null;
       }
-      
+
       var tok = {};
       tok.access_token = accessToken;
       if (refreshToken) { tok.refresh_token = refreshToken; }
       if (params) { utils.merge(tok, params); }
       tok.token_type = tok.token_type || 'Bearer';
-      
+
       var json = JSON.stringify(tok);
       res.setHeader('Content-Type', 'application/json');
       res.setHeader('Cache-Control', 'no-store');
       res.setHeader('Pragma', 'no-cache');
       res.end(json);
     }
-    
+
     try {
       var arity = issue.length;
       if (arity == 6) {