oauth2orize
oauth2orize copied to clipboard
jaredhanson
implement immediate query flag
I know this is not in the spec, but this is the easiest way to implement support for it. Also it could be useful for others.
The only other solution i saw was to split the validation and immediate code handling into two different middlewares.
It is based on SalesForce's documentation [1].
The use case is that I want to do the authorization in a hidden iframe and only fallback to redirect if it fails.
For reference, I'm using it like the following code.
I don't think the x-frame-options part should be part of oauth2orize.
module.exports =
[ function (req, res, next) {
if (req.query.immediate === 'true') {
res.removeHeader('x-frame-options')
}
next()
}
, server.authorize(validate, immediate)
, ensureLoggedIn()
, renderDialog
, server.errorHandler({ mode: 'indirect' })
]
[1] https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_web_server_flow.htm&language=en_US
Coverage remained the same when pulling 7ac468dc4b9c4e59852ad5db5996dd827eeb17ce on tellnes:immediate into 1a9c8ee94ac99dbc2875288ab9160b42f16799d9 on jaredhanson:master.
What if we just add another arity form of the immediate callback, something like:
immediate(req, req.oauth2.client, req.oauth2.user, req.oauth2.req.scope, immediated);
Then the application can check any query params and handle as necessary. I'd like to keep extensions and other not-to-spec things outside of this module, and this would allow that. Thoughts?
That looks like a much better solution. I did not expect to get this merged, but I did expect it to end in a solution.
The only nit is that it already is a lot of arguments. Maybe we should consider passing an object and the immediated method. Everything you need available on the request object (req). But that would mean that req.oauth2 must be defined as public api. I don't know if it is that today?
immediate(req, immediated);