openid-client
Advanced tools
Comparing version 2.2.1 to 2.3.0
@@ -1,38 +0,17 @@ | ||
# openid-client CHANGELOG | ||
# Change Log | ||
Yay for [SemVer](http://semver.org/). | ||
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. | ||
**Table of Contents** | ||
<a name="2.3.0"></a> | ||
# [2.3.0](https://github.com/panva/node-openid-client/compare/v2.2.1...v2.3.0) (2018-08-11) | ||
<!-- TOC depthFrom:2 depthTo:2 withLinks:1 updateOnSave:1 orderedList:0 --> | ||
- [Version 2.2.x](#version-22x) | ||
- [Version 2.1.x](#version-21x) | ||
- [Version 2.0.x](#version-20x) | ||
- [Version 1.20.0](#version-1200) | ||
- [Version 1.19.x](#version-119x) | ||
- [Version 1.18.x](#version-118x) | ||
- [Version 1.17.0](#version-1170) | ||
- [Version 1.16.0](#version-1160) | ||
- [Version 1.15.0](#version-1150) | ||
- [Version 1.14.0](#version-1140) | ||
- [Version 1.13.0](#version-1130) | ||
- [Version 1.12.0](#version-1120) | ||
- [Version 1.11.0](#version-1110) | ||
- [Version 1.10.0](#version-1100) | ||
- [Version 1.9.0](#version-190) | ||
- [Version 1.8.0](#version-180) | ||
- [Version 1.7.0](#version-170) | ||
- [Version 1.6.0](#version-160) | ||
- [Version 1.5.0](#version-150) | ||
- [Version 1.4.0](#version-140) | ||
- [Version 1.3.0](#version-130) | ||
- [Version 1.2.0](#version-120) | ||
- [Version 1.1.0](#version-110) | ||
- [Version 1.0.0](#version-100) | ||
- [Migrating from 0.x to 1.0](#migrating-from-0x-to-10) | ||
- [pre 1.x changelog](#pre-1x-changelog) | ||
### Features | ||
<!-- /TOC --> | ||
* authorization response parameter checking based on response_type ([6e0ac57](https://github.com/panva/node-openid-client/commit/6e0ac57)) | ||
* passport strategy automatically checks response REQUIRED params ([902eeed](https://github.com/panva/node-openid-client/commit/902eeed)) | ||
# Pre standard-version Change Log | ||
## Version 2.2.x | ||
@@ -39,0 +18,0 @@ ### Version 2.2.1 |
@@ -323,3 +323,11 @@ const util = require('util'); | ||
if (checks.state !== parameters.state) { | ||
if (!params.state && checks.state) { | ||
return Promise.reject(new Error('state missing from response')); | ||
} | ||
if (params.state && !checks.state) { | ||
return Promise.reject(new Error('checks.state missing')); | ||
} | ||
if (checks.state !== params.state) { | ||
return Promise.reject(new Error('state mismatch')); | ||
@@ -332,2 +340,24 @@ } | ||
const RESPONSE_TYPE_REQUIRED_PARAMS = { | ||
code: ['code'], | ||
id_token: ['id_token'], | ||
token: ['access_token', 'token_type'], | ||
}; | ||
if (checks.response_type) { | ||
for (const type of checks.response_type.split(' ')) { // eslint-disable-line no-restricted-syntax | ||
if (type === 'none') { | ||
if (params.code || params.id_token || params.access_token) { | ||
return Promise.reject(new Error('unexpected params encountered for "none" response')); | ||
} | ||
} else { | ||
for (const param of RESPONSE_TYPE_REQUIRED_PARAMS[type]) { // eslint-disable-line no-restricted-syntax, max-len | ||
if (!params[param]) { | ||
return Promise.reject(new Error(`${param} missing from response`)); | ||
} | ||
} | ||
} | ||
} | ||
} | ||
let promise; | ||
@@ -373,3 +403,11 @@ | ||
if (checks.state !== parameters.state) { | ||
if (!params.state && checks.state) { | ||
return Promise.reject(new Error('state missing from response')); | ||
} | ||
if (params.state && !checks.state) { | ||
return Promise.reject(new Error('checks.state missing')); | ||
} | ||
if (checks.state !== params.state) { | ||
return Promise.reject(new Error('state mismatch')); | ||
@@ -382,2 +420,25 @@ } | ||
const RESPONSE_TYPE_REQUIRED_PARAMS = { | ||
code: ['code'], | ||
token: ['access_token', 'token_type'], | ||
}; | ||
if (checks.response_type) { | ||
for (const type of checks.response_type.split(' ')) { // eslint-disable-line no-restricted-syntax | ||
if (type === 'none') { | ||
if (params.code || params.id_token || params.access_token) { | ||
return Promise.reject(new Error('unexpected params encountered for "none" response')); | ||
} | ||
} | ||
if (RESPONSE_TYPE_REQUIRED_PARAMS[type]) { | ||
for (const param of RESPONSE_TYPE_REQUIRED_PARAMS[type]) { // eslint-disable-line no-restricted-syntax, max-len | ||
if (!params[param]) { | ||
return Promise.reject(new Error(`${param} missing from response`)); | ||
} | ||
} | ||
} | ||
} | ||
} | ||
if (params.code) { | ||
@@ -384,0 +445,0 @@ return this.grant({ |
@@ -33,2 +33,3 @@ const pkg = require('../../package.json'); | ||
'error_description', | ||
'error_uri', | ||
'expires_in', | ||
@@ -35,0 +36,0 @@ 'id_token', |
@@ -91,3 +91,3 @@ /* eslint-disable no-underscore-dangle */ | ||
req.session[sessionKey] = _.pick(params, 'nonce', 'state', 'max_age'); | ||
req.session[sessionKey] = _.pick(params, 'nonce', 'state', 'max_age', 'response_type'); | ||
@@ -115,8 +115,16 @@ if (this._usePKCE) { | ||
/* start authentication response */ | ||
const session = req.session[sessionKey]; | ||
const state = _.get(session, 'state'); | ||
const maxAge = _.get(session, 'max_age'); | ||
const nonce = _.get(session, 'nonce'); | ||
const codeVerifier = _.get(session, 'code_verifier'); | ||
if (_.isEmpty(session)) { | ||
this.error(new Error(util.format( | ||
`did not find expected authorization request details in session, req.session["${sessionKey}"] is %j`, | ||
session | ||
))); | ||
return; | ||
} | ||
const { | ||
state, nonce, max_age: maxAge, code_verifier: codeVerifier, response_type: responseType, | ||
} = session; | ||
try { | ||
@@ -135,2 +143,3 @@ delete req.session[sessionKey]; | ||
code_verifier: codeVerifier, | ||
response_type: responseType, | ||
}; | ||
@@ -173,7 +182,2 @@ | ||
this.fail(error); | ||
} else if (error.message === 'state mismatch' && !state) { | ||
this.error(new Error(util.format( | ||
'state mismatch, could not find a state in the session, this is likely an environment setup issue, loaded session: %j', | ||
session | ||
))); | ||
} else { | ||
@@ -180,0 +184,0 @@ this.error(error); |
{ | ||
"name": "openid-client", | ||
"version": "2.2.1", | ||
"version": "2.3.0", | ||
"description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs", | ||
@@ -36,2 +36,3 @@ "keywords": [ | ||
"scripts": { | ||
"commitmsg": "commitlint -E GIT_PARAMS", | ||
"coverage": "nyc mocha", | ||
@@ -42,6 +43,2 @@ "lint": "eslint lib example test", | ||
}, | ||
"pre-commit": [ | ||
"coverage", | ||
"lint" | ||
], | ||
"dependencies": { | ||
@@ -58,2 +55,4 @@ "base64url": "^3.0.0", | ||
"devDependencies": { | ||
"@commitlint/cli": "^7.0.0", | ||
"@commitlint/config-conventional": "^7.0.1", | ||
"chai": "^4.1.2", | ||
@@ -63,2 +62,3 @@ "eslint": "^4.19.1", | ||
"eslint-plugin-import": "^2.12.0", | ||
"husky": "^0.14.3", | ||
"koa": "^2.5.1", | ||
@@ -72,3 +72,2 @@ "koa-body": "^4.0.0", | ||
"nyc": "^12.0.2", | ||
"pre-commit": "^1.2.2", | ||
"readable-mock-req": "^0.2.2", | ||
@@ -82,2 +81,7 @@ "request": "^2.87.0", | ||
}, | ||
"commitlint": { | ||
"extends": [ | ||
"@commitlint/config-conventional" | ||
] | ||
}, | ||
"nyc": { | ||
@@ -84,0 +88,0 @@ "reporter": [ |
@@ -59,3 +59,3 @@ # openid-client | ||
Filip Skokan has [certified][openid-certified-link] that [openid-client][npm-url] | ||
conforms to the RP Basic, RP Implicit, RP Hybrid, RP Config and RP Dynamic profiles | ||
conforms to the RP Basic, RP Implicit, RP Hybrid, RP Config, RP Dynamic and RP Form Post profiles | ||
of the OpenID Connect™ protocol. | ||
@@ -66,17 +66,7 @@ | ||
## Sponsor | ||
<table> | ||
<tbody> | ||
<tr> | ||
<td> | ||
<img alt="auth0-logo" src="https://avatars.githubusercontent.com/u/2824157?s=75&v=4" style="max-width:100%;"> | ||
</td> | ||
<td colspan="2"> | ||
If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at <a href="https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=openid-client&utm_content=auth">auth0.com/overview</a>. | ||
</td> | ||
</tr> | ||
</tbody> | ||
</table> | ||
<h2>Sponsor</h2> | ||
[<img width="65" height="65" align="left" src="https://avatars.githubusercontent.com/u/2824157?s=75&v=4" alt="auth0-logo">][sponsor-auth0] If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at [auth0.com/overview][sponsor-auth0].<br><br> | ||
## Example | ||
@@ -171,8 +161,7 @@ Head over to the example folder to see the library in use. This example is deployed and configured | ||
### Processing callback with state, nonce or max_age check | ||
### Processing callback with required params, state, nonce or max_age checks (recommended) | ||
```js | ||
const state = session.state; | ||
const nonce = session.nonce; | ||
const { state, nonce, max_age, response_type } = session[authorizationRequestState]; | ||
client.authorizationCallback('https://client.example.com/callback', request.query, { state, nonce, max_age }) // => Promise | ||
client.authorizationCallback('https://client.example.com/callback', request.query, { state, nonce, max_age, response_type }) // => Promise | ||
.then(function (tokenSet) { | ||
@@ -184,3 +173,3 @@ console.log('received and validated tokens %j', tokenSet); | ||
### IdP Errors - OpenIdConnectError | ||
### OP Errors - OpenIdConnectError | ||
When the OpenID Provider returns an OIDC formatted error from either authorization callbacks or | ||
@@ -536,1 +525,2 @@ any of the JSON responses the library will reject a given Promise with `OpenIdConnectError` instance. | ||
[npm-url]: https://www.npmjs.com/package/openid-client | ||
[sponsor-auth0]: https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=openid-client&utm_content=auth |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
95635
1664
19
522