Merge 613000a into b3d886f

jaredhanson · May 26, 2015 · 3e1c883 · 3e1c883
2 parents b3d886f + 613000a
commit 3e1c883
Show file tree

Hide file tree

Showing 5 changed files with 232 additions and 194 deletions.
diff --git a/lib/strategy.js b/lib/strategy.js
@@ -76,13 +76,13 @@ function OAuth2Strategy(options, verify) {
     options = undefined;
   }
   options = options || {};
-  
+
   if (!verify) { throw new TypeError('OAuth2Strategy requires a verify callback'); }
   if (!options.authorizationURL) { throw new TypeError('OAuth2Strategy requires a authorizationURL option'); }
   if (!options.tokenURL) { throw new TypeError('OAuth2Strategy requires a tokenURL option'); }
   if (!options.clientID) { throw new TypeError('OAuth2Strategy requires a clientID option'); }
   if (!options.clientSecret) { throw new TypeError('OAuth2Strategy requires a clientSecret option'); }
-  
+
   passport.Strategy.call(this);
   this.name = 'oauth2';
   this._verify = verify;
@@ -118,31 +118,33 @@ util.inherits(OAuth2Strategy, passport.Strategy);
 OAuth2Strategy.prototype.authenticate = function(req, options) {
   options = options || {};
   var self = this;
-  
+
   if (req.query && req.query.error) {
     if (req.query.error == 'access_denied') {
       return this.fail({ message: req.query.error_description });
     } else {
       return this.error(new AuthorizationError(req.query.error_description, req.query.error, req.query.error_uri));
     }
   }
-  
+
   var callbackURL = options.callbackURL || this._callbackURL;
-  if (callbackURL) {
+
+  // 'postmessage' is a special thing in html5, don't try to massage it.
+  if (callbackURL && callbackURL !== 'postmessage') {
     var parsed = url.parse(callbackURL);
     if (!parsed.protocol) {
       // The callback URL is relative, resolve a fully qualified URL from the
       // URL of the originating request.
       callbackURL = url.resolve(utils.originalURL(req, { proxy: this._trustProxy }), callbackURL);
     }
   }
-  
+
   if (req.query && req.query.code) {
     var code = req.query.code;
-    
+
     if (this._state) {
       if (!req.session) { return this.error(new Error('OAuth2Strategy requires session support when using state. Did you forget app.use(express.session(...))?')); }
-      
+
       var key = this._key;
       if (!req.session[key]) {
         return this.fail({ message: 'Unable to verify authorization request state.' }, 403);
@@ -151,12 +153,12 @@ OAuth2Strategy.prototype.authenticate = function(req, options) {
       if (!state) {
         return this.fail({ message: 'Unable to verify authorization request state.' }, 403);
       }
-      
+
       delete req.session[key].state;
       if (Object.keys(req.session[key]).length === 0) {
         delete req.session[key];
       }
-      
+
       if (state !== req.query.state) {
         return this.fail({ message: 'Invalid authorization request state.' }, 403);
       }
@@ -169,16 +171,16 @@ OAuth2Strategy.prototype.authenticate = function(req, options) {
     this._oauth2.getOAuthAccessToken(code, params,
       function(err, accessToken, refreshToken, params) {
         if (err) { return self.error(self._createOAuthError('Failed to obtain access token', err)); }
-        
+
         self._loadUserProfile(accessToken, function(err, profile) {
           if (err) { return self.error(err); }
-          
+
           function verified(err, user, info) {
             if (err) { return self.error(err); }
             if (!user) { return self.fail(info); }
             self.success(user, info);
           }
-          
+
           try {
             if (self._passReqToCallback) {
               var arity = self._verify.length;
@@ -215,14 +217,14 @@ OAuth2Strategy.prototype.authenticate = function(req, options) {
       params.state = state;
     } else if (this._state) {
       if (!req.session) { return this.error(new Error('OAuth2Strategy requires session support when using state. Did you forget app.use(express.session(...))?')); }
-      
+
       var key = this._key;
       state = uid(24);
       if (!req.session[key]) { req.session[key] = {}; }
       req.session[key].state = state;
       params.state = state;
     }
-    
+
     var location = this._oauth2.getAuthorizeUrl(params);
     this.redirect(location);
   }
@@ -309,14 +311,14 @@ OAuth2Strategy.prototype.parseErrorResponse = function(body, status) {
  */
 OAuth2Strategy.prototype._loadUserProfile = function(accessToken, done) {
   var self = this;
-  
+
   function loadIt() {
     return self.userProfile(accessToken, done);
   }
   function skipIt() {
     return done(null);
   }
-  
+
   if (typeof this._skipUserProfile == 'function' && this._skipUserProfile.length > 1) {
     // async
     this._skipUserProfile(accessToken, function(err, skip) {