From 32620902a5a3eb0a54c36c83ab2d6fa1c549783b Mon Sep 17 00:00:00 2001 From: Damien Mathieu <42@dmathieu.com> Date: Sat, 24 Sep 2011 14:10:46 +0200 Subject: [PATCH 1/3] don't send the request using https if the uri is http --- lib/oauth2.js | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/lib/oauth2.js b/lib/oauth2.js index 373f135..19918cb 100644 --- a/lib/oauth2.js +++ b/lib/oauth2.js @@ -1,12 +1,13 @@ var querystring= require('querystring'), crypto= require('crypto'), https= require('https'), + http= require('http'), URL= require('url'), OAuthUtils= require('./_utils'); exports.OAuth2= function(clientId, clientSecret, baseSite, authorizePath, accessTokenPath) { this._clientId= clientId; - this._clientSecret= clientSecret; + this._clientSecret= clientSecret; this._baseSite= baseSite; this._authorizeUrl= authorizePath || "/oauth/authorize"; this._accessTokenUrl= accessTokenPath || "/oauth/access_token"; @@ -28,10 +29,15 @@ exports.OAuth2.prototype._getAccessTokenUrl= function() { exports.OAuth2.prototype._request= function(method, url, headers, post_body, access_token, callback) { - var creds = crypto.createCredentials({ }); - var parsedUrl= URL.parse( url, true ); - if( parsedUrl.protocol == "https:" && !parsedUrl.port ) parsedUrl.port= 443; - + var creds = crypto.createCredentials({ }); + var parsedUrl= URL.parse( url, true ); + if( parsedUrl.protocol == "https:" && !parsedUrl.port ) { + parsedUrl.port= 443; + http_library = https; + } else { + http_library = http; + } + var realHeaders= {}; if( headers ) { for(var key in headers) { @@ -72,7 +78,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc } } - request = https.request(options, function (response) { + request = http_library.request(options, function (response) { response.on("data", function (chunk) { result+= chunk }); @@ -94,7 +100,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc request.write(post_body); } request.end(); -} +} exports.OAuth2.prototype.getAuthorizeUrl= function( params ) { @@ -139,7 +145,7 @@ exports.OAuth2.prototype.getOAuthAccessToken= function(code, params, callback) { callback(null, access_token, refresh_token); } }); -} +} // Deprecated exports.OAuth2.prototype.getProtectedResource= function(url, access_token, callback) { From ef51782104b8f9838741a9373e190ca0cca6505e Mon Sep 17 00:00:00 2001 From: ciaranj Date: Tue, 24 Apr 2012 21:11:20 +0100 Subject: [PATCH 2/3] Fix global scope leak, and amend decision on when to use https or http libraries --- lib/oauth2.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/oauth2.js b/lib/oauth2.js index 319fb03..4cfe290 100644 --- a/lib/oauth2.js +++ b/lib/oauth2.js @@ -29,13 +29,16 @@ exports.OAuth2.prototype._getAccessTokenUrl= function() { exports.OAuth2.prototype._request= function(method, url, headers, post_body, access_token, callback) { + var http_library= https; var creds = crypto.createCredentials({ }); var parsedUrl= URL.parse( url, true ); if( parsedUrl.protocol == "https:" && !parsedUrl.port ) { parsedUrl.port= 443; - http_library = https; - } else { - http_library = http; + } + + // As this is OAUth2, we *assume* https unless told explicitly otherwise. + if( parsedUrl.protocol != "https:" ) { + http_library= http; } var realHeaders= {}; From 6b9323f2de77f3c6b1c276afb5ad0283961c2e0f Mon Sep 17 00:00:00 2001 From: ciaranj Date: Tue, 24 Apr 2012 21:11:40 +0100 Subject: [PATCH 3/3] Acknowledge contributor --- Readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Readme.md b/Readme.md index 9e76806..b003b33 100644 --- a/Readme.md +++ b/Readme.md @@ -10,7 +10,7 @@ Also provides rudimentary OAuth2 support, tested against facebook connect and gi Change History ============== -* 0.10.0 - OAuth2: Pass back any extra response data for calls to getOAuthAccessToken (Thanks to Tang Bo Hao) +* 0.10.0 - OAuth2: Pass back any extra response data for calls to getOAuthAccessToken (Thanks to Tang Bo Hao) OAuth2: Don't force a https request if given a http url (Thanks to Damien Mathieu) * 0.9.6 - Support for 302 redirects on OAuth2 (Thanks Patrick Negri). Some code tidying. ( Thanks to Raoul Millais ) * 0.9.5 - Allow usage of HTTP verbs other than GET for retrieving the access and request tokens (OAuth1) (Thanks to Raoul Millais) * 0.9.4 - Support for OAuth providers that drop connections (don't send response lengths? [Google]) And change OAuth2 getOAuthAccessToken to POST rather than GET ( Possible Breaking change!!! ... re-tested against Google, Github, Facebook, FourSquare and Janrain and seems ok .. is closer to the spec (v20) ) @@ -41,3 +41,4 @@ Contributors * Raoul Millais * Patrick Negri - http://github.com/pnegri * Tang Bo Hao - http://github.com/btspoony +* Damien Mathieu - http://42.dmathieu.com