fix #129 Setting token in query params and Authorization header violates spec
This commit is contained in:
parent
ba81ad43bd
commit
798157c185
|
@ -67,7 +67,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc
|
|||
realHeaders['Host']= parsedUrl.host;
|
||||
|
||||
realHeaders['Content-Length']= post_body ? Buffer.byteLength(post_body) : 0;
|
||||
if( access_token ) {
|
||||
if( access_token && !('Authorization' in headers)) {
|
||||
if( ! parsedUrl.query ) parsedUrl.query= {};
|
||||
parsedUrl.query[this._accessTokenName]= access_token;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
var vows = require('vows'),
|
||||
assert = require('assert'),
|
||||
https = require('https'),
|
||||
OAuth2= require('../lib/oauth2').OAuth2;
|
||||
OAuth2= require('../lib/oauth2').OAuth2,
|
||||
url = require('url');
|
||||
|
||||
vows.describe('OAuth2').addBatch({
|
||||
'Given an OAuth2 instance with clientId and clientSecret, ': {
|
||||
|
@ -16,6 +17,16 @@ vows.describe('OAuth2').addBatch({
|
|||
assert.equal( refresh_token, "refresh");
|
||||
});
|
||||
},
|
||||
'we should not include access token in both querystring and headers': function (oa) {
|
||||
oa._request = new OAuth2("clientId", "clientSecret")._request.bind(oa);
|
||||
oa._executeRequest= function( http_library, options, post_body, callback) {
|
||||
callback(null, url.parse(options.path, true).query, options.headers);
|
||||
};
|
||||
oa.get("/userinfo", 'access', function(error, query, headers) {
|
||||
assert.ok( !('access_token' in query), "access_token not in query");
|
||||
assert.ok( 'Authorization' in headers, "Authorization in headers");
|
||||
});
|
||||
},
|
||||
'we should correctly extract the token if received as a JSON literal': function (oa) {
|
||||
oa._request= function(method, url, headers, post_body, access_token, callback) {
|
||||
callback(null, '{"access_token":"access","refresh_token":"refresh"}');
|
||||
|
|
Loading…
Reference in New Issue