sendResponse and sendErrorResponse implemented

radekg · Mar 1, 2012 · d17a128 · d17a128
1 parent 5553884
commit d17a128
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 94 deletions.
diff --git a/oauth2.js b/oauth2.js
@@ -45,7 +45,6 @@ mongodClient.open(function(err, p_client) {
 
 var oauth2 = null;
 function setupOAuth2Server() {
-	util.puts("Setting up OAuth2, connected to mongod, reading scopes for this app");
 	mongodClient.collection("scopes", function(err, collection) {
 		collection.find({}, function(err, cursor) {
 			cursor.toArray( function(err, arr) {
@@ -271,7 +270,6 @@ app.post("/oauth2/do-login", function(req,res) {
 			res.writeHead(401, "Session expired " + oauth2.fixString( sessionCode ) );
 			res.end();
 		} else {
-			// TODO: params should be loaded from an external function
 			oauth2.getUserAccountBy( { username: req.param("username", null), password: req.param("password", null) }, function( account ) {
 				if ( account != null ) {
 					res.cookie("logged_in", account.username, { path: "/" });
@@ -306,22 +304,13 @@ app.get("/oauth2/scopes", function(req,res) {
 		} else {
 			oauth2.clientIdLookup( sessionData.stateObject.client_id, function(clientApp) {
 				if ( clientApp == null ) {
-					res.writeHead(400, "Client ID invalid");
+					res.writeHead(400, "invalid_request: Client ID invalid");
 					res.end();
 				} else {
-
 					var requestedScopes = sessionData.stateObject.scope.split(" ");
 					var scopes = [];
 					for ( var i=0; i<requestedScopes.length; i++ ) {
-						var aScopeName = oauth2.getScopeName( requestedScopes[i] );
-						if ( aScopeName == null ) {
-							// TODO: if redirect_uri specified, send back
-							res.writeHead(400, "invalid_scope: " + requestedScopes[i]);
-							res.end();
-							return;
-						} else {
-							scopes.push( { scope: requestedScopes[i], name: aScopeName } );
-						}
+						scopes.push( { scope: requestedScopes[i], name: oauth2.getScopeName( requestedScopes[i] ) } );
 					}
 					res.render("scopes", {
 						scopes: scopes
@@ -360,19 +349,29 @@ app.post("/oauth2/do-scopes", function(req,res) {
 		} else {
 			// check if user has allowed or denied the access:
 			if ( accessStatus == "allow" ) {
-				util.puts("Access allowed");
 				var authCode = oauth2.generateAuthCode( sessionData.stateObject.client_id );
 				oauth2.storeAuthCode( oauth2.fixString( authCode ), sessionData.stateObject.client_id );
 				oauth2.updateUserPrivileges(
 					req.cookies.logged_in
 					, sessionData.stateObject.client_id
 					, sessionData.stateObject.scope.split(" ") );
 				// TODO: redirect the user to the redirect_uri
-				res.writeHead(200, authCode);
-				res.end();
+
+				if ( sessionData.stateObject.redirect_uri != null ) {
+					var _url = sessionData.stateObject.redirect_uri + "?";
+					if ( sessionData.stateObject.state != null ) {
+						_url += "&state=" + state;
+					}
+					_url += "&code=" + authCode;
+					res.redirect( _url );
+					res.end()
+				} else {
+					oauth2.sendResponse( sessionData.stateObject, { code: authCode }, res );
+					res.end();
+				}
+
 			} else if ( accessStatus == "deny" ) {
-				// TODO: redirect the user to the redirect_uri
-				res.writeHead(400, "access_denied: User denied");
+				oauth2.sendErrorResponse( sessionData.stateObject, { error: "access_denied", error_description: "User denied." }, res );
 				res.end();
 			}
 		}
@@ -382,67 +381,55 @@ app.post("/oauth2/do-scopes", function(req,res) {
 
 app.get("/oauth2/auth", function(req,res) {
 
-	var redirect_uri = req.param("redirect_uri", null);
-	var response_type = req.param("response_type", null);
-	var client_id = req.param("client_id", null);
-	var scope = req.param("scope", null);
-	var state = req.param("state", null);
+	util.puts( "--------------------------------------------" );
+	util.puts( "Referer is: " + req.header("Referer") );
+	util.puts( "--------------------------------------------" );
+
+	var stateObject = {
+		client_id: req.param("client_id", null)
+		, redirect_uri: req.param("redirect_uri", null)
+		, response_type: req.param("response_type", null)
+		, scope: req.param("scope", null)
+		, state: req.param("state", null) };
+	var validationStatus = oauth2.validateAuthRequest( stateObject, req.header("Referer") );
+	if ( validationStatus.error != null ) {
+		oauth2.sendErrorResponse( stateObject, validationStatus, res );
+		res.end();
+		return;
+	}
 
-	if ( client_id != null ) client_id = oauth2.fixString( client_id );
+	stateObject.client_id = oauth2.fixString( stateObject.client_id );
 
-	oauth2.clientIdLookup( client_id, function(clientApp) {
+	oauth2.clientIdLookup( stateObject.client_id, function(clientApp) {
 		if ( clientApp == null ) {
-			// TODO: if redirect_uri specified, send back
-			res.writeHead(400, "unauthorized_client: Client ID invalid");
+			oauth2.sendErrorResponse( stateObject, { error: "unauthorized_client", error_description: "Client ID invalid" }, res );
 			res.end();
 		} else {
-
-			util.puts("Hai: " + req.cookies.logged_in);
-
 			if ( req.cookies.logged_in == undefined ) {
-
-				var loginSessionCode = oauth2.generateLoginSessionCode(client_id);
-				oauth2.storeSessionLoginCode( loginSessionCode, {
-					client_id: client_id
-					, redirect_uri: redirect_uri
-					, response_type: response_type
-					, scope: scope
-					, state: state } );
+				var loginSessionCode = oauth2.generateLoginSessionCode(stateObject.client_id);
+				oauth2.storeSessionLoginCode( loginSessionCode, stateObject );
 				res.redirect("/oauth2/login?ses=" + loginSessionCode);
-
 			} else {
-
 				oauth2.getUserAccountBy( { username: req.cookies.logged_in }, function( account ) {
 					if ( account != null ) {
 						if ( account.authorized == null || account.authorized == undefined ) {
 							account.authorized = {};
 						}
-						if ( account.authorized[ client_id ] == null || account.authorized[ client_id ] == undefined ) {
-							var loginSessionCode = oauth2.generateLoginSessionCode(client_id);
-							oauth2.storeSessionLoginCode( loginSessionCode, {
-								client_id: client_id
-								, redirect_uri: redirect_uri
-								, response_type: response_type
-								, scope: scope
-								, state: state } );
+						if ( account.authorized[ stateObject.client_id ] == null || account.authorized[ stateObject.client_id ] == undefined ) {
+							var loginSessionCode = oauth2.generateLoginSessionCode(stateObject.client_id);
+							oauth2.storeSessionLoginCode( loginSessionCode, stateObject );
 							res.redirect("/oauth2/scopes?ses=" + loginSessionCode);
 						} else {
-							var authCode = oauth2.generateAuthCode( client_id );
-							oauth2.storeAuthCode( oauth2.fixString( authCode ), client_id );
-							// TODO: redirect the user to the redirect_uri
-							res.writeHead(200, authCode);
+							var authCode = oauth2.generateAuthCode( stateObject.client_id );
+							oauth2.storeAuthCode( oauth2.fixString( authCode ), stateObject.client_id );
+							oauth2.sendResponse( stateObject, { code: authCode }, res )
 							res.end();
 						}
 					} else {
-						res.writeHead(400, "unauthorized_client: invalid account");
+						oauth2.sendErrorResponse( stateObject, { error: "unauthorized_client", error_description: "Spoofed account." }, res );
 						res.end();
 					}
 				});
-
-				// get account by user id:
-				// check if the user authorized the app and all scopes requested
-					// if true - generate the code and send back
-					// otherwise - show scopes page
 			}
 
 		}

diff --git a/server/oauth2-server.js b/server/oauth2-server.js
@@ -1,5 +1,6 @@
 var util = require("util")
-	, hash = require("jshashes");
+	, hash = require("jshashes")
+	, url = require("url");
 
 function OAuth2Server( settings ) {
 
@@ -46,55 +47,81 @@ OAuth2Server.prototype.getScopeName = function(scope) {
 	return null;
 };
 
-OAuth2Server.prototype.processLookup = function(response_type, client_id, scope, state) {
+OAuth2Server.prototype.sendResponse = function( stateObject, data, response ) {
+	if ( stateObject.redirect_uri != null ) {
+		var _url = stateObject.redirect_uri + "?";
+		for ( var key in data ) {
+			_url += key + "=" + dataObject[key] + "&";
+		}
+		if ( stateObject.state != null ) {
+			_url += "state=" + stateObject.state;
+		}
+		response.redirect(_url);
+	} else {
+		response.writeHead(200, JSON.stringify( data ));
+	}
+}
+
+OAuth2Server.prototype.sendErrorResponse = function( stateObject, errorObject, response ) {
+	if ( stateObject.redirect_uri != null ) {
+		var _url = stateObject.redirect_uri + "?";
+		for ( var key in errorObject ) {
+			_url += key + "=" + errorObject[key] + "&";
+		}
+		if ( stateObject.state != null ) {
+			_url += "state=" + stateObject.state;
+		}
+		response.redirect(_url);
+	} else {
+		response.writeHead(400, errorObject.error + ": " + errorObject.error_description);
+	}
+}
+
+OAuth2Server.prototype.validateAuthRequest = function(stateObject, referer) {
 	var resp = {};
-	if ( response_type == null ) {
+	if ( stateObject.response_type == null ) {
 		resp.error = "invalid_request";
-		resp.error_description = "Parameter response_type not given.";
-		if ( state != null ) {
-			resp.state = state;
-		}
+		resp.error_description = "Parameter response_type required.";
 		return resp;
 	}
-
-	if ( client_id == null ) {
+	if ( stateObject.response_type !== "code" ) {
 		resp.error = "invalid_request";
-		resp.error_description = "Parameter client_id not given.";
-		if ( state != null ) {
-			resp.state = state;
-		}
+		resp.error_description = "Parameter response_type must be 'code'. Other values currently unsupported.";
 		return resp;
 	}
-
-	if ( response_type !== "code" ) {
+	if ( stateObject.client_id == null ) {
 		resp.error = "invalid_request";
-		resp.error_description = "Parameter response_type has a wrong value.";
-		if ( state != null ) {
-			resp.state = state;
-		}
+		resp.error_description = "Parameter client_id required.";
 		return resp;
 	}
-
-	if ( this.clientIdExistsLookup( client_id ) != null ) {
-
-		resp.scope = scope;
-		resp.state = state;
-		// 
-		/*
-		resp.code = this.generateAuthCode( client_id );
-		this.doAuthCodeStorage( client_id, resp.code );
-		if ( state != null ) {
-			resp.state = state;
+	if ( stateObject.redirect_uri != null ) {
+		var parsedUri = url.parse( stateObject.redirect_uri );
+		var parsedReferer = null;
+		if ( typeof(referer) == "string" ) {
+			parsedReferer = url.parse( referer )
+		}
+		if ( parsedUri.hostname !== parsedReferer.hostname ) {
+			resp.error = "invalid_request";
+			resp.error_description = "Can't redirect to unauthorized URI.";
+			return resp;
 		}
-		return resp;
-		*/
-
-
 	} else {
-		resp.error = "unauthorized_client";
-		return resp;
+		// lookup app details to see if the uri stored on the app settings
+		// and compare those...
+	}
+
+	var requestedScopes = stateObject.scope.split(" ");
+	var scopes = [];
+	for ( var i=0; i<requestedScopes.length; i++ ) {
+		var aScopeName = this.getScopeName( requestedScopes[i] );
+		if ( aScopeName == null ) {
+			resp.error = "invalid_scope";
+			resp.error_description = requestedScopes[i];
+			return resp ;
+		}
 	}
 
+	return resp;
 }
 OAuth2Server.prototype.generateLoginSessionCode = function( client_id ) {
 	var code = new hash.SHA1().b64( (new Date()).toString() + Math.random() + client_id + this.randomString(50) );