fix: do not assign the defaulted to response_mode to params

panva · Jul 26, 2019 · 18867ad · 18867ad
1 parent 5ff5660
commit 18867ad
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 9 deletions.
diff --git a/lib/actions/authorization/check_response_mode.js b/lib/actions/authorization/check_response_mode.js
@@ -1,6 +1,6 @@
 const { InvalidRequest, UnsupportedResponseMode } = require('../../helpers/errors');
 const instance = require('../../helpers/weak_cache');
-const { isImplicit } = require('../../helpers/resolve_response_mode');
+const { isFrontChannel } = require('../../helpers/resolve_response_mode');
 
 /*
  * Resolves and assigns params.response_mode if it was not explicitly requested. Validates id_token
@@ -11,17 +11,20 @@ const { isImplicit } = require('../../helpers/resolve_response_mode');
 module.exports = function checkResponseMode(ctx, next) {
   const { params, client } = ctx.oidc;
 
-  const implicitOrHybrid = isImplicit(params.response_type);
+  const frontChannel = isFrontChannel(params.response_type);
 
-  if (params.response_mode === undefined) {
-    params.response_mode = implicitOrHybrid ? 'fragment' : 'query';
-  } else if (params.response_mode === 'query' && implicitOrHybrid) {
+  const mode = ctx.oidc.responseMode;
+
+  if (mode === 'query' && frontChannel) {
     throw new InvalidRequest('response_mode not allowed for this response_type');
-  } else if (params.response_mode === 'query.jwt' && implicitOrHybrid && !client.authorizationEncryptedResponseAlg) {
+  } else if (mode === 'query.jwt' && frontChannel && !client.authorizationEncryptedResponseAlg) {
     throw new InvalidRequest('response_mode not allowed for this response_type unless encrypted');
   }
 
-  if (!instance(ctx.oidc.provider).responseModes.has(params.response_mode)) {
+  if (
+    mode !== undefined
+    && !instance(ctx.oidc.provider).responseModes.has(mode)
+  ) {
     params.response_mode = undefined;
     throw new UnsupportedResponseMode();
   }

diff --git a/lib/actions/authorization/respond.js b/lib/actions/authorization/respond.js
@@ -28,6 +28,6 @@ module.exports = async function respond(ctx, next) {
   ctx.oidc.provider.emit('authorization.success', ctx, out);
   debug('uid=%s %o', ctx.oidc.uid, out);
 
-  const handler = instance(ctx.oidc.provider).responseModes.get(params.response_mode);
+  const handler = instance(ctx.oidc.provider).responseModes.get(ctx.oidc.responseMode);
   await handler(ctx, params.redirect_uri, out);
 };
diff --git a/lib/helpers/oidc_context.js b/lib/helpers/oidc_context.js
@@ -11,6 +11,7 @@ const ctxRef = require('../models/ctx_ref');
 const nanoid = require('./nanoid');
 const { InvalidRequest } = require('./errors');
 const instance = require('./weak_cache');
+const resolveResponseMode = require('./resolve_response_mode');
 
 module.exports = function getContext(provider) {
   const { clockTolerance, features: { dPoP: dPoPConfig } } = instance(provider).configuration();
@@ -215,6 +216,18 @@ module.exports = function getContext(provider) {
       return claims;
     }
 
+    get responseMode() {
+      if (typeof this.params.response_mode === 'string') {
+        return this.params.response_mode;
+      }
+
+      if (this.params.response_type !== undefined) {
+        return resolveResponseMode(this.params.response_type);
+      }
+
+      return undefined;
+    }
+
     get acr() {
       return this.session.acr;
     }

diff --git a/lib/helpers/resolve_response_mode.js b/lib/helpers/resolve_response_mode.js
@@ -3,4 +3,4 @@ function resolve(responseType) {
 }
 
 module.exports = resolve;
-module.exports.isImplicit = responseType => (resolve(responseType) === 'fragment');
+module.exports.isFrontChannel = responseType => (resolve(responseType) === 'fragment');