updates to 6-4 (clean copy of 6-1)

Author: jricher

exercises/ch-6-ex-1/client.js

@@ -15,5 +15,5 @@ var server = app.listen(9000, 'localhost', function () {
 });
 
 app.get("/*", function(req, res){
-	res.sendFile(path.join(__dirname, "files/client/callback.html"));
+	res.sendFile(path.join(__dirname, "files/client/index.html"));
 });

…ses/ch-6-ex-1/files/client/callback.html …rcises/ch-6-ex-1/files/client/index.htmlexercises/ch-6-ex-1/files/client/callback.html renamed to exercises/ch-6-ex-1/files/client/index.html exercises/ch-6-ex-1/files/client/callback.html renamed to exercises/ch-6-ex-1/files/client/index.html

@@ -5,6 +5,7 @@ var randomstring = require("randomstring");
 var cons = require('consolidate');
 var nosql = require('nosql').load('database.nosql');
 var querystring = require('querystring');
+var qs = require('qs');
 var __ = require('underscore');
 __.string = require('underscore.string');
 
@@ -26,6 +27,7 @@ var authServer = {
 
 // client information
 var clients = [
+
 	{
 		"client_id": "oauth-client-1",
 		"client_secret": "oauth-client-secret-1",
@@ -48,11 +50,6 @@ app.get('/', function(req, res) {
 
 app.get("/authorize", function(req, res){
 
-	/*
-	 * Process the request, validate the client, and send the user to the approval page
-	 */
-	
-	
 	var client = getClient(req.query.client_id);
 
 	if (!client) {
@@ -68,15 +65,13 @@ app.get("/authorize", function(req, res){
 		var rscope = req.query.scope ? req.query.scope.split(' ') : undefined;
 		var cscope = client.scope ? client.scope.split(' ') : undefined;
 		if (__.difference(rscope, cscope).length > 0) {
-			// client asked for a scope it couldn't have
-			var urlParsed = url.parse(req.query.redirect_uri);
-			delete urlParsed.search; // this is a weird behavior of the URL library
-			urlParsed.query = urlParsed.query || {};
-			urlParsed.query.error = 'invalid_scope';
-			res.redirect(url.format(urlParsed));
+			var urlParsed = buildUrl(req.query.redirect_uri, {
+				error: 'invalid_scope'
+			});
+			res.redirect(urlParsed);
 			return;
 		}
-
+		
 		var reqid = randomstring.generate(8);
 
 		requests[reqid] = req.query;
@@ -102,90 +97,85 @@ app.post('/approve', function(req, res) {
 	if (req.body.approve) {
 		if (query.response_type == 'code') {
 			// user approved access
-			var code = randomstring.generate(8);
-			
-			var scope = __.filter(__.keys(req.body), function(s) { return __.string.startsWith(s, 'scope_'); })
-				.map(function(s) { return s.slice('scope_'.length); });
+
+			var rscope = getScopesFromForm(req.body);
 			var client = getClient(query.client_id);
 			var cscope = client.scope ? client.scope.split(' ') : undefined;
-			if (__.difference(scope, cscope).length > 0) {
-				// client asked for a scope it couldn't have
-				var urlParsed = url.parse(query.redirect_uri);
-				delete urlParsed.search; // this is a weird behavior of the URL library
-				urlParsed.query = urlParsed.query || {};
-				urlParsed.query.error = 'invalid_scope';
-				res.redirect(url.format(urlParsed));
+			if (__.difference(rscope, cscope).length > 0) {
+				var urlParsed = buildUrl(query.redirect_uri, {
+					error: 'invalid_scope'
+				});
+				res.redirect(urlParsed);
 				return;
 			}
 
+			var code = randomstring.generate(8);
+			
 			// save the code and request for later
-			codes[code] = { authorizationEndpointRequest: query, scope: scope };
+			
+			codes[code] = { request: query, scope: rscope };
 
-			var urlParsed = url.parse(query.redirect_uri);
-			delete urlParsed.search; // this is a weird behavior of the URL library
-			urlParsed.query = urlParsed.query || {};
-			urlParsed.query.code = code;
-			urlParsed.query.state = query.state; 
-			res.redirect(url.format(urlParsed));
+			var urlParsed = buildUrl(query.redirect_uri, {
+				code: code,
+				state: query.state
+			});
+			res.redirect(urlParsed);
 			return;
+		} else if (query.response_type == 'token') {
 
-		} else if (query.response_type == 'token') {			
-			var scope = __.filter(__.keys(req.body), function(s) { return __.string.startsWith(s, 'scope_'); })
-				.map(function(s) { return s.slice('scope_'.length); });
+			var rscope = getScopesFromForm(req.body);
 			var client = getClient(query.client_id);
 			var cscope = client.scope ? client.scope.split(' ') : undefined;
-			if (__.difference(scope, cscope).length > 0) {
-				var urlParsed = url.parse(query.redirect_uri);
-				delete urlParsed.search; // this is a weird behavior of the URL library
-				urlParsed.hash = 'error=invalid_scope';
-				res.redirect(url.format(urlParsed));
+			if (__.difference(rscope, cscope).length > 0) {
+				var urlParsed = buildUrl(query.redirect_uri,
+					{},
+					qs.stringify({error: 'invalid_scope'})
+				);
+				res.redirect(urlParsed);
 				return;
 			}
 			var access_token = randomstring.generate();
-			nosql.insert({ access_token: access_token, client_id: clientId, scope: scope });
-			var cscope = null;
-			if (scope) {
-				cscope = scope.join(' ');
-			}
+			nosql.insert({ access_token: access_token, client_id: client.client_id, scope: rscope });
 
-			var token_response = { access_token: access_token, token_type: 'Bearer', scope: cscope };
-			var urlParsed = url.parse(query.redirect_uri);
-			delete urlParsed.search; // this is a weird behavior of the URL library
+			var token_response = { access_token: access_token, token_type: 'Bearer', scope: rscope.join(' ') };
 			if (query.state) {
 				token_response.state = query.state;
-			} 				
-			urlParsed.hash = qs.stringify(token_response);
-			res.redirect(url.format(urlParsed));
+			}
+		
+			var urlParsed = buildUrl(query.redirect_uri,
+				{},
+				qs.stringify(token_response)
+			);
+			res.redirect(urlParsed);
 			return;
 		} else {
 			// we got a response type we don't understand
-			var urlParsed = url.parse(query.redirect_uri);
-			delete urlParsed.search; // this is a weird behavior of the URL library
-			urlParsed.query = urlParsed.query || {};
-			urlParsed.query.error = 'unsupported_response_type';
-			res.redirect(url.format(urlParsed));
+			var urlParsed = buildUrl(query.redirect_uri, {
+				error: 'unsupported_response_type'
+			});
+			res.redirect(urlParsed);
 			return;
 		}
+		
 	} else {
 		// user denied access
-		var urlParsed = url.parse(query.redirect_uri);
-		delete urlParsed.search; // this is a weird behavior of the URL library
-		urlParsed.query = urlParsed.query || {};
-		urlParsed.query.error = 'access_denied';
-		res.redirect(url.format(urlParsed));
+		var urlParsed = buildUrl(query.redirect_uri, {
+			error: 'access_denied'
+		});
+		res.redirect(urlParsed);
 		return;
 	}
-
+	
 });
 
 app.post("/token", function(req, res){
-
+	
 	var auth = req.headers['authorization'];
 	if (auth) {
 		// check the auth header
-		var clientCredentials = new Buffer(auth.slice('basic '.length), 'base64').toString().split(':');
-		var clientId = querystring.unescape(clientCredentials[0]);
-		var clientSecret = querystring.unescape(clientCredentials[1]);
+		var clientCredentials = decodeClientCredentials(auth);
+		var clientId = clientCredentials.id;
+		var clientSecret = clientCredentials.secret;
 	}
 
 	// otherwise, check the post body
@@ -220,62 +210,92 @@ app.post("/token", function(req, res){
 
 		if (code) {
 			delete codes[req.body.code]; // burn our code, it's been used
-			if (code.authorizationEndpointRequest.client_id == clientId) {
+			if (code.request.client_id == clientId) {
 
 				var access_token = randomstring.generate();
 				var refresh_token = randomstring.generate();
 
 				nosql.insert({ access_token: access_token, client_id: clientId, scope: code.scope });
 				nosql.insert({ refresh_token: refresh_token, client_id: clientId, scope: code.scope });
 
+				console.log('Issuing access token %s', access_token);
+
 				var token_response = { access_token: access_token, token_type: 'Bearer',  refresh_token: refresh_token, scope: code.scope.join(' ') };
 
 				res.status(200).json(token_response);
 				console.log('Issued tokens for code %s', req.body.code);
 
 				return;
 			} else {
-				console.log('Client mismatch, expected %s got %s', code.authorizationEndpointRequest.client_id, clientId);
+				console.log('Client mismatch, expected %s got %s', code.request.client_id, clientId);
 				res.status(400).json({error: 'invalid_grant'});
 				return;
 			}
+		
+
 		} else {
 			console.log('Unknown code, %s', req.body.code);
 			res.status(400).json({error: 'invalid_grant'});
 			return;
 		}
 	} else if (req.body.grant_type == 'refresh_token') {
-		nosql.all(function(token) {
-			return (token.refresh_token == req.body.refresh_token);
-		}, function(err, tokens) {
-			if (tokens.length == 1) {
-				var token = tokens[0];
+		nosql.one(function(token) {
+			if (token.refresh_token == req.body.refresh_token) {
+				return token;	
+			}
+		}, function(err, token) {
+			if (token) {
+				console.log("We found a matching refresh token: %s", req.body.refresh_token);
 				if (token.client_id != clientId) {
-					console.log('Invalid client using a refresh token, expected %s got %s', token.client_id, clientId);
 					nosql.remove(function(found) { return (found == token); }, function () {} );
-					res.status(400).end();
-					return
+					res.status(400).json({error: 'invalid_grant'});
+					return;
 				}
-				console.log("We found a matching token: %s", req.body.refresh_token);
 				var access_token = randomstring.generate();
-				var token_response = { access_token: access_token, token_type: 'Bearer',  refresh_token: req.body.refresh_token };
 				nosql.insert({ access_token: access_token, client_id: clientId });
-				console.log('Issuing access token %s for refresh token %s', access_token, req.body.refresh_token);
+				var token_response = { access_token: access_token, token_type: 'Bearer',  refresh_token: token.refresh_token };
 				res.status(200).json(token_response);
 				return;
 			} else {
 				console.log('No matching token was found.');
-				res.status(401).end();
+				res.status(400).json({error: 'invalid_grant'});
+				return;
 			}
 		});
 	} else {
 		console.log('Unknown grant type %s', req.body.grant_type);
 		res.status(400).json({error: 'unsupported_grant_type'});
-		return;
 	}
-
 });
 
+var buildUrl = function(base, options, hash) {
+	var newUrl = url.parse(base, true);
+	delete newUrl.search;
+	if (!newUrl.query) {
+		newUrl.query = {};
+	}
+	__.each(options, function(value, key, list) {
+		newUrl.query[key] = value;
+	});
+	if (hash) {
+		newUrl.hash = hash;
+	}
+	
+	return url.format(newUrl);
+};
+
+var decodeClientCredentials = function(auth) {
+	var clientCredentials = new Buffer(auth.slice('basic '.length), 'base64').toString().split(':');
+	var clientId = querystring.unescape(clientCredentials[0]);
+	var clientSecret = querystring.unescape(clientCredentials[1]);	
+	return { id: clientId, secret: clientSecret };
+};
+
+var getScopesFromForm = function(body) {
+	return __.filter(__.keys(body), function(s) { return __.string.startsWith(s, 'scope_'); })
+				.map(function(s) { return s.slice('scope_'.length); });
+};
+
 app.use('/', express.static('files/authorizationServer'));
 
 // clear the database

exercises/ch-6-ex-4/authorizationServer.js

@@ -15,5 +15,5 @@ var server = app.listen(9000, 'localhost', function () {
 });
 
 app.get("/*", function(req, res){
-	res.sendFile(path.join(__dirname, "files/client/callback.html"));
+	res.sendFile(path.join(__dirname, "files/client/index.html"));
 });

exercises/ch-6-ex-4/client.js

@@ -50,11 +50,6 @@ <h2>Approve this client?</h2>
 		  <% } %>
 
 		   <form class="form" action="/approve" method="POST">
-			   <label>Select user:</label>
-			   <select name="user">
-			     <option value="alice">Alice</option>
-			     <option value="bob">Bob</option>
-			   </select>
 			   <input type="hidden" name="reqid" value="<%- reqid %>">
 			   <% if (scope) { %>
 			   <p>The client is requesting access to the following:</p>

exercises/ch-6-ex-4/files/authorizationServer/approve.html

@@ -64,7 +64,7 @@ <h2>Data from protected resource:</h2>
         var client = {
           'client_id': 'oauth-client-1',
           'redirect_uris': ['http://localhost:9000/callback'],
-          'scope': 'openid profile email address phone'
+          'scope': 'foo bar'
         };
 
         // authorization server information