Add separate PKCE session store, for apps that enable PKCE.

jaredhanson · Mar 14, 2019 · 7560043 · 7560043
1 parent 494f83a
commit 7560043
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 17 deletions.
diff --git a/lib/state/pkcesession.js b/lib/state/pkcesession.js
@@ -0,0 +1,97 @@
+var uid = require('uid2');
+
+/**
+ * Creates an instance of `SessionStore`.
+ *
+ * This is the state store implementation for the OAuth2Strategy used when
+ * the `state` option is enabled.  It generates a random state and stores it in
+ * `req.session` and verifies it when the service provider redirects the user
+ * back to the application.
+ *
+ * This state store requires session support.  If no session exists, an error
+ * will be thrown.
+ *
+ * Options:
+ *
+ *   - `key`  The key in the session under which to store the state
+ *
+ * @constructor
+ * @param {Object} options
+ * @api public
+ */
+function PKCESessionStore(options) {
+  if (!options.key) { throw new TypeError('Session-based state store requires a session key'); }
+  this._key = options.key;
+}
+
+/**
+ * Store request state.
+ *
+ * This implementation simply generates a random string and stores the value in
+ * the session, where it will be used for verification when the user is
+ * redirected back to the application.
+ *
+ * @param {Object} req
+ * @param {Function} callback
+ * @api protected
+ */
+PKCESessionStore.prototype.store = function(req, verifier, state, meta, callback) {
+  if (!req.session) { return callback(new Error('OAuth 2.0 authentication requires session support when using state. Did you forget to use express-session middleware?')); }
+
+  var key = this._key;
+  if (!req.session[key]) { req.session[key] = {}; }
+
+  var state = {
+    handle: uid(24),
+    verifier: verifier
+  };
+
+  req.session[key].state = state;
+
+  callback(null, state.handle);
+};
+
+/**
+ * Verify request state.
+ *
+ * This implementation simply compares the state parameter in the request to the
+ * value generated earlier and stored in the session.
+ *
+ * @param {Object} req
+ * @param {String} providedState
+ * @param {Function} callback
+ * @api protected
+ */
+PKCESessionStore.prototype.verify = function(req, providedState, callback) {
+  if (!req.session) { return callback(new Error('OAuth 2.0 authentication requires session support when using state. Did you forget to use express-session middleware?')); }
+
+  var key = this._key;
+  if (!req.session[key]) {
+    return callback(null, false, { message: 'Unable to verify authorization request state.' });
+  }
+
+  var state = req.session[key].state;
+  if (!state) {
+    return callback(null, false, { message: 'Unable to verify authorization request state.' });
+  }
+
+  delete req.session[key].state;
+  if (Object.keys(req.session[key]).length === 0) {
+    delete req.session[key];
+  }
+
+  var checkState = state;
+  if (typeof state == 'object') {
+    checkState = state.handle;
+  }
+
+  if (checkState !== providedState) {
+    return callback(null, false, { message: 'Invalid authorization request state.' });
+  }
+
+  // FIXME: Do not return `state` value?
+  return callback(null, true, state);
+};
+
+// Expose constructor.
+module.exports = PKCESessionStore;
diff --git a/lib/state/session.js b/lib/state/session.js
@@ -35,22 +35,16 @@ function SessionStore(options) {
  * @param {Function} callback
  * @api protected
  */
-SessionStore.prototype.store = function(req, verifier, state, meta, callback) {
+SessionStore.prototype.store = function(req, callback) {
   if (!req.session) { return callback(new Error('OAuth 2.0 authentication requires session support when using state. Did you forget to use express-session middleware?')); }
 
   var key = this._key;
   if (!req.session[key]) { req.session[key] = {}; }
 
   var state = uid(24);
-
-  if (verifier) {
-    state = { handle: state };
-    state.verifier = verifier;
-  }
-
   req.session[key].state = state;
 
-  callback(null, (typeof state == 'string') ? state : state.handle);
+  callback(null, state);
 };
 
 /**
@@ -82,17 +76,11 @@ SessionStore.prototype.verify = function(req, providedState, callback) {
     delete req.session[key];
   }
 
-  var checkState = state;
-  if (typeof state == 'object') {
-    checkState = state.handle;
-  }
-
-  if (checkState !== providedState) {
+  if (state !== providedState) {
     return callback(null, false, { message: 'Invalid authorization request state.' });
   }
 
-  // FIXME: Do not return `state` value?
-  return callback(null, true, state);
+  return callback(null, true);
 };
 
 // Expose constructor.

diff --git a/lib/strategy.js b/lib/strategy.js
@@ -9,6 +9,7 @@ var passport = require('passport-strategy')
   , OAuth2 = require('oauth').OAuth2
   , NullStateStore = require('./state/null')
   , SessionStateStore = require('./state/session')
+  , PKCESessionStateStore = require('./state/pkcesession')
   , AuthorizationError = require('./errors/authorizationerror')
   , TokenError = require('./errors/tokenerror')
   , InternalOAuthError = require('./errors/internaloautherror');
@@ -104,7 +105,7 @@ function OAuth2Strategy(options, verify) {
     this._stateStore = options.store;
   } else {
     if (options.state) {
-      this._stateStore = new SessionStateStore({ key: this._key });
+      this._stateStore = options.pkce ? new PKCESessionStateStore({ key: this._key }) : new SessionStateStore({ key: this._key });
     } else {
       this._stateStore = new NullStateStore();
     }