From 5e8962df2817f740b32317bef182fe80b2be6f54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20K=C3=BCster?= Date: Mon, 29 Nov 2021 09:38:41 +0100 Subject: [PATCH 1/2] fix(handler): deny access when body.allowed is 'false' --- lib/handlers/authorize-handler.js | 7 ++++++- .../handlers/authorize-handler_test.js | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index e825012..cf2b5a8 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -77,7 +77,12 @@ AuthorizeHandler.prototype.handle = function(request, response) { throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response'); } - if ('false' === request.query.allowed) { + const notAllowed = [ + request.query.allowed, + request.body.allowed + ].some(allowed => 'false' === allowed); + + if (notAllowed) { return Promise.reject(new AccessDeniedError('Access denied: user denied access to application')); } diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js index 49d2c0d..d253378 100644 --- a/test/integration/handlers/authorize-handler_test.js +++ b/test/integration/handlers/authorize-handler_test.js @@ -177,6 +177,24 @@ describe('AuthorizeHandler integration', function() { }); }); + it('should throw an error if `allowed` is `false` body', function() { + const model = { + getAccessToken: function() {}, + getClient: function() {}, + saveAuthorizationCode: function() {} + }; + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const request = new Request({ body: { allowed: 'false' }, headers: {}, method: {}, query: {} }); + const response = new Response({ body: {}, headers: {} }); + + return handler.handle(request, response) + .then(should.fail) + .catch(function(e) { + e.should.be.an.instanceOf(AccessDeniedError); + e.message.should.equal('Access denied: user denied access to application'); + }); + }); + it('should redirect to an error response if a non-oauth error is thrown', function() { const model = { getAccessToken: function() { From 5b5de2449465184edbb0d5a65df859101738841d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20K=C3=BCster?= Date: Mon, 20 Dec 2021 07:57:54 +0100 Subject: [PATCH 2/2] fix(authorization): use simplified if-branch to check for body allow value --- lib/handlers/authorize-handler.js | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index cf2b5a8..78341e8 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -77,12 +77,7 @@ AuthorizeHandler.prototype.handle = function(request, response) { throw new InvalidArgumentError('Invalid argument: `response` must be an instance of Response'); } - const notAllowed = [ - request.query.allowed, - request.body.allowed - ].some(allowed => 'false' === allowed); - - if (notAllowed) { + if (request.query.allowed === 'false' || request.body.allowed === 'false') { return Promise.reject(new AccessDeniedError('Access denied: user denied access to application')); }