		var qs = require('querystring');
		var request = require('request');
		var uuid = require('node-uuid');

		@@ -14,6 +15,14 @@ module.exports = {

		if(req.session){
		req.session.bnet_state = req.query.scope + ':' + req.query.region + ':' + uuid.v4();
		} else {
		console.warn('No sessions enabled. This is a security hazard as 3rd parties could take advantage of your' +
		'static state query param.');
		req.session = {bnet_state: req.query.scope + ':' + req.query.region + ':' + 'NO_SESSIONS'};
		}

		var params = qs.stringify({
		client_id: req.app.get('BNET_ID'),
		scope: req.query.scope,
		state: req.query.scope + ':' + req.query.region + ':IMPLEMENT_RANDOM',
		state: req.session.bnet_state,
		redirect_uri: req.app.get('BASE_URL') + req.app.get('BNET_CALLBACK_URL'),
		@@ -36,2 +45,27 @@ response_type: 'code'

		if(!req.query.state){
		res.error = {
		error: 'Invalid battle.net response.',
		error_description: 'Did not receive a state query parameter from battle.net. This is unusual.'
		};
		return req.app.get('LOGIN_FAIL')(req, res);
		}

		if(req.session){
		if(!req.session.bnet_state \|\| req.session.bnet_state !== req.query.state){
		res.error = {
		error: 'Invalid battle.net response.',
		error_description: 'State query parameters do not match. This may be caused by a 3rd party trying to exploit.'
		};
		}
		} else {
		if(req.query.state !== (req.query.scope + ':' + req.query.region + ':' + 'NO_SESSIONS')){
		res.error = {
		error: 'Invalid battle.net response.',
		error_description: 'State query parameters do not match. This may be caused by a 3rd party trying to exploit.'
		};
		return req.app.get('LOGIN_FAIL')(req, res);
		}
		}

		try {
		@@ -38,0 +72,0 @@ scope = req.query.state.split(':').length ? req.query.state.split(':')[0] : req.app.get('BNET_SCOPE');

package.json

		{
		"name": "express-battlenet-oauth",
		"version": "0.0.4",
		"version": "0.0.5",
		"description": "OAuth Authentication for Battle.net (World of Warcraft, Starcraft 2 profiles) for ExpressJS",
		@@ -28,6 +28,9 @@ "main": "index.js",
		"homepage": "https://github.com/battlejj/express-battlenet-oauth",
		"devDependencies": {},
		"devDependencies": {
		"express-session": "^1.7.6"
		},
		"dependencies": {
		"body-parser": "^1.6.6",
		"express": "^4.8.5",
		"node-uuid": "^1.4.1",
		"querystring": "^0.2.0",
		@@ -34,0 +37,0 @@ "request": "^2.40.0"

README.md

		@@ -11,3 +11,3 @@ express-battlenet-oauth

		###Read Before Getting Started
		####Read Before Getting Started
		<div style="width:100%; background-color:#f1e05a;">
		@@ -19,6 +19,13 @@ Blizzard's OAuth requires that your callback URL be served via SSL.
		See http://us.battle.net/en/forum/topic/13977887738#8 for more information.


		DISCLAIMER: The following will seem silly to point out, because without sessions enabled authentication is kind
		of pointless, however, please read it anyway.

		While not strictly required, it is *highly recommended* you enable sessions in your application and make
		the session available through req.session. If you don't do this, pseudo-random state parameters cannot be created
		to prevent unauthorized 3rd party authentication attempts.
		</div>


		###Easy to Implement
		####Minimal Implementation
		```javascript
		@@ -49,3 +56,13 @@ var express = require('express');

		###Options
		For a full example please see: https://github.com/battlejj/express-battlenet-oauth/blob/master/examples/index.js

		The example should be fully functional as is if you plop in your API Key and Secret and from the root folder run
		```
		npm install
		```
		I've included a localhost SSL private key and certificate to be used for testing. It will require you to accept
		a security exception since it is a self signed certificate. Chrome is the most ominous about this warning.


		####Options
		All options for express-battlenet-oauth are set in your main express app via:
		@@ -52,0 +69,0 @@

express-battlenet-oauth - npm Package Compare versions

New alerts

Improved metrics

Worsened metrics

Dependency changes