Add support for skipping some validations in parseLoginResponse()

tngan · Mar 30, 2019 · 73be9f2 · 73be9f2
1 parent 8f670a2
commit 73be9f2
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/src/entity-sp.ts b/src/entity-sp.ts
@@ -12,6 +12,7 @@ import {
   IdentityProviderConstructor as IdentityProvider,
   ServiceProviderMetadata,
   ServiceProviderSettings,
+  ValidationSettings,
 } from './types';
 import { namespace } from './urn';
 import redirectBinding from './binding-redirect';
@@ -50,7 +51,7 @@ export class ServiceProvider extends Entity {
   * @desc  Generates the login request for developers to design their own method
   * @param  {IdentityProvider} idp               object of identity provider
   * @param  {string}   binding                   protocol binding
-  * @param  {function} customTagReplacement     used when developers have their own login response template
+  * @param  {function} customTagReplacement      used when developers have their own login response template
   * @param  {string}   relayState                optionally override default SP relayState
   */
   public createLoginRequest(
@@ -91,18 +92,26 @@ export class ServiceProvider extends Entity {
   * @param  {IdentityProvider}   idp             object of identity provider
   * @param  {string}   binding                   protocol binding
   * @param  {request}   req                      request
+  * @param  {ValidationSettings}   validation    optionally skip some validations
   */
-  public parseLoginResponse(idp, binding, request: ESamlHttpRequest) {
+  public parseLoginResponse(idp, binding, request: ESamlHttpRequest, validation?: ValidationSettings) {
     const self = this;
-    return flow({
+
+    const options = {
       from: idp,
       self: self,
       checkSignature: true, // saml response must have signature
       parserType: 'SAMLResponse',
       type: 'login',
       binding: binding,
       request: request
-    });
+    };
+
+    if (validation) {
+      Object.assign(options, validation);
+    }
+
+    return flow(options);
   }
 
 }
diff --git a/src/flow.ts b/src/flow.ts
@@ -118,7 +118,10 @@ async function postFlow(options): Promise<FlowResult> {
     from,
     self,
     parserType,
-    checkSignature = true
+    checkSignature = true,
+    checkIssuer = true,
+    checkSessionTime = true,
+    checkTime = true
   } = options;
 
   const { body } = request;
@@ -189,6 +192,7 @@ async function postFlow(options): Promise<FlowResult> {
 
   // unmatched issuer
   if (
+    checkIssuer &&
     (parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
     && extractedProperties
     && extractedProperties.issuer !== issuer
@@ -198,6 +202,7 @@ async function postFlow(options): Promise<FlowResult> {
 
   // invalid session time
   if (
+    checkSessionTime &&
     parserType === 'SAMLResponse'
     && !verifyTime(
       undefined,
@@ -210,6 +215,7 @@ async function postFlow(options): Promise<FlowResult> {
   // invalid time
   // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
   if (
+    checkTime &&
     parserType === 'SAMLResponse'
     && extractedProperties.conditions
     && !verifyTime(

diff --git a/src/types.ts b/src/types.ts
@@ -118,3 +118,10 @@ export interface IdentityProviderSettings {
   wantLogoutRequestSignedResponseSigned?: boolean;
   tagPrefix?: { [key: string]: string };
 }
+
+export interface ValidationSettings {
+  checkSignature?: boolean;
+  checkIssuer?: boolean;
+  checkSessionTime?: boolean;
+  checkTime?: boolean;
+}