Clean up authorization params.

jaredhanson · Feb 3, 2016 · d63c910 · d63c910
1 parent 7b7b97a
commit d63c910
Show file tree

Hide file tree

Showing 2 changed files with 217 additions and 24 deletions.
diff --git a/lib/oauth2.js b/lib/oauth2.js
@@ -131,59 +131,62 @@ Strategy.prototype.userProfile = function(accessToken, done) {
  */
 Strategy.prototype.authorizationParams = function(options) {
   var params = {};
+
+  // https://developers.google.com/identity/protocols/OAuth2WebServer
   if (options.accessType) {
     params['access_type'] = options.accessType;
   }
-  if (options.approvalPrompt) {
-    params['approval_prompt'] = options.approvalPrompt;
-  }
   if (options.prompt) {
-    // This parameter is undocumented in Google's official documentation.
-    // However, it was detailed by Breno de Medeiros (who works at Google) in
-    // this Stack Overflow answer:
-    //  http://stackoverflow.com/questions/14384354/force-google-account-chooser/14393492#14393492
     params['prompt'] = options.prompt;
   }
   if (options.loginHint) {
-    // This parameter is derived from OpenID Connect, and supported by Google's
-    // OAuth 2.0 endpoint.
-    //   https://github.com/jaredhanson/passport-google-oauth/pull/8
-    //   https://bitbucket.org/openid/connect/commits/970a95b83add
     params['login_hint'] = options.loginHint;
   }
-  if (options.userID) {
-    // Undocumented, but supported by Google's OAuth 2.0 endpoint.  Appears to
-    // be equivalent to `login_hint`.
-    params['user_id'] = options.userID;
+  if (options.includeGrantedScopes) {
+    params['include_granted_scopes'] = true;
   }
+
+  // https://developers.google.com/identity/protocols/OpenIDConnect
+  if (options.display) {
+    // Specify what kind of display consent screen to display to users.
+    //   https://developers.google.com/accounts/docs/OpenIDConnect#authenticationuriparameters
+    params['display'] = options.display;
+  }
+
+  // Google Apps for Work
   if (options.hostedDomain || options.hd) {
     // This parameter is derived from Google's OAuth 1.0 endpoint, and (although
     // undocumented) is supported by Google's OAuth 2.0 endpoint was well.
     //   https://developers.google.com/accounts/docs/OAuth_ref
     params['hd'] = options.hostedDomain || options.hd;
   }
-  if (options.display) {
-    // Specify what kind of display consent screen to display to users.
-    //   https://developers.google.com/accounts/docs/OpenIDConnect#authenticationuriparameters
-    params['display'] = options.display;
-  }
+
+  // Google+
   if (options.requestVisibleActions) {
     // Space separated list of allowed app actions
     // as documented at:
     //  https://developers.google.com/+/web/app-activities/#writing_an_app_activity_using_the_google_apis_client_libraries
     //  https://developers.google.com/+/api/moment-types/
     params['request_visible_actions'] = options.requestVisibleActions;
   }
+
+  // OpenID 2.0 migration
   if (options.openIDRealm) {
     // This parameter is needed when migrating users from Google's OpenID 2.0 to OAuth 2.0
     //   https://developers.google.com/accounts/docs/OpenID?hl=ja#adjust-uri
     params['openid.realm'] = options.openIDRealm;
   }
-  if (options.includeGrantedScopes) {
-    // For use of this parameter:
-    // https://developers.google.com/identity/protocols/OAuth2WebServer
-    params['include_granted_scopes'] = true;
+
+  // Undocumented
+  if (options.approvalPrompt) {
+    params['approval_prompt'] = options.approvalPrompt;
+  }
+  if (options.userID) {
+    // Undocumented, but supported by Google's OAuth 2.0 endpoint.  Appears to
+    // be equivalent to `login_hint`.
+    params['user_id'] = options.userID;
   }
+
   return params;
 }
 

diff --git a/test/strategy.test.js b/test/strategy.test.js
@@ -18,4 +18,194 @@ describe('Strategy', function() {
     });
   })
 
+  describe('constructed with undefined options', function() {
+    it('should throw', function() {
+      expect(function() {
+        var strategy = new GoogleStrategy(undefined, function(){});
+      }).to.throw(Error);
+    });
+  })
+
+  describe('authorization request with documented parameters', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ prompt: 'select_account', loginHint: 'john@mail.com', accessType: 'offline' });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=select_account&login_hint=john%40mail.com&response_type=code&redirect_uri=&client_id=ABC123');
+    });
+  }); // authorization request with documented parameters
+
+  describe('authorization request with incremental authorization parameters', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ scope: [ 'https://www.googleapis.com/auth/drive.file' ], includeGrantedScopes: true });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?include_granted_scopes=true&response_type=code&redirect_uri=&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file&client_id=ABC123');
+    });
+  }); // authorization request with incremental authorization parameters
+
+  describe('authorization request with Google Apps for Work parameters', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ hostedDomain: 'example.com' });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?hd=example.com&response_type=code&redirect_uri=&client_id=ABC123');
+    });
+  }); // authorization request with Google Apps for Work parameters
+
+  describe('authorization request with Google Apps for Work parameters, in abbreviated form', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ hd: 'example.com' });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?hd=example.com&response_type=code&redirect_uri=&client_id=ABC123');
+    });
+  }); // authorization request with Google Apps for Work parameters, in abbreviated form
+
+  describe('authorization request with Google+ parameters', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ requestVisibleActions: 'http://schema.org/AddAction http://schema.org/ReviewAction' });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?request_visible_actions=http%3A%2F%2Fschema.org%2FAddAction%20http%3A%2F%2Fschema.org%2FReviewAction&response_type=code&redirect_uri=&client_id=ABC123');
+    });
+  }); // authorization request with Google+ parameters
+
+  describe('authorization request with OpenID 2.0 migration parameters', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ openIDRealm: 'http://www.example.com/' });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?openid.realm=http%3A%2F%2Fwww.example.com%2F&response_type=code&redirect_uri=&client_id=ABC123');
+    });
+  }); // authorization request with OpenID 2.0 migration parameters
+
+  describe('authorization request with undocumented parameters', function() {
+    var strategy = new GoogleStrategy({
+      clientID: 'ABC123',
+      clientSecret: 'secret'
+    }, function() {});
+
+
+    var url;
+
+    before(function(done) {
+      chai.passport.use(strategy)
+        .redirect(function(u) {
+          url = u;
+          done();
+        })
+        .req(function(req) {
+          req.session = {};
+        })
+        .authenticate({ approvalPrompt: 'none', userID: '1' });
+    });
+
+    it('should be redirected', function() {
+      expect(url).to.equal('https://accounts.google.com/o/oauth2/v2/auth?approval_prompt=none&user_id=1&response_type=code&redirect_uri=&client_id=ABC123');
+    });
+  }); // authorization request with undocumented parameters
+
 });