feat(oauth): make server compatible with AppAuth (#534) r=@rfk

Ref: https://appauth.io/
2018-04-03 21:52:59 -04:00 · 2018-04-03 21:52:59 -04:00 · ff9e4228d9
--- a/lib/routes/token.js
+++ b/lib/routes/token.js
@ -84,6 +84,8 @@ const PAYLOAD_SCHEMA = Joi.object({
      then: Joi.forbidden()
    }),

+  redirect_uri: validators.redirectUri.optional(),
+
  grant_type: Joi.string()
    .valid(GRANT_AUTHORIZATION_CODE, GRANT_REFRESH_TOKEN, GRANT_JWT)
    .default(GRANT_AUTHORIZATION_CODE)
@ -98,7 +100,7 @@ const PAYLOAD_SCHEMA = Joi.object({
  scope: Joi.alternatives().when('grant_type', {
    is: GRANT_REFRESH_TOKEN,
    then: validators.scope,
-    otherwise: Joi.forbidden()
+    otherwise: Joi.optional()
  }),

  code: Joi.string()
--- a/lib/validators.js
+++ b/lib/validators.js
@ -32,6 +32,10 @@ exports.scope = Joi.string()
  .max(256)
  .regex(/^[a-zA-Z0-9 _\/.:]+$/);

+exports.redirectUri = Joi.string()
+  .max(256)
+  .regex(/^[a-zA-Z0-9\-_\/.:]+$/);
+
 // taken from mozilla/persona/lib/validate.js
 exports.assertion = Joi.string()
  .min(50)
--- a/test/api.js
+++ b/test/api.js
@ -1899,6 +1899,70 @@ describe('/v1', function() {

    });

+    describe('?redirect_uri', () => {
+      function getCode(clientId) {
+        mockAssertion().reply(200, VERIFY_GOOD);
+        return Server.api.post({
+          url: '/authorization',
+          payload: authParams({
+            client_id: clientId
+          })
+        }).then((res) => {
+          return url.parse(res.result.redirect, true).query.code;
+        });
+      }
+      it('works with https redirect_uri', () => {
+        return getCode(clientId).then((code) => {
+          return Server.api.post({
+            url: '/token',
+            payload: {
+              client_id: clientId,
+              client_secret: secret,
+              code: code,
+              redirect_uri: 'https://2aa95473a5115d5f3deb36bb6875cf76f05e4c4d.extensions.allizom.org/'
+            }
+          });
+        }).then((res) => {
+          assert.equal(res.statusCode, 200);
+        });
+      });
+
+      it('works with app redirect_uri', () => {
+        return getCode(clientId).then((code) => {
+          return Server.api.post({
+            url: '/token',
+            payload: {
+              client_id: clientId,
+              client_secret: secret,
+              code: code,
+              redirect_uri: 'testpilot-notes://redirect.android'
+            }
+          });
+        }).then((res) => {
+          assert.equal(res.statusCode, 200);
+        });
+      });
+
+      it('is validated', () => {
+        return getCode(clientId).then((code) => {
+          return Server.api.post({
+            url: '/token',
+            payload: {
+              client_id: clientId,
+              client_secret: secret,
+              code: code,
+              redirect_uri: 'https://foo\n\n<>\n\r'
+            }
+          });
+        }).then((res) => {
+          assert.equal(res.statusCode, 400);
+          assertInvalidRequestParam(res.result, 'redirect_uri');
+          assertSecurityHeaders(res);
+        });
+      });
+
+    });
+
  });

  describe('/client', function() {