node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard
verified publisher icon oauthjs

State missing in location header request in cas of invalid scope

Open lemagicien00 opened this issue 5 years ago • 0 comments

When request an authorization code with invalid scope and state parameter, 'location' in response header does not contain '&state=xxxx' in the url.

While for the others invalid cases (missing 'code_type' and Invalid 'code_type') it is present.

It's because scope validation failed and then state not added in error response.

AuthorizeHandler.prototype.handle = function(request, response) {
//...
        .then(function(validScope) { // **<-------this throw an error and skip adding state**
          scope = validScope;

          return this.generateAuthorizationCode(client, user, scope);
        })
        .then(function(authorizationCode) {
          state = this.getState(request); // **<-------move this to first then()**
          ResponseType = this.getResponseType(request);

          return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
        })
        .then(function(code) {
          var responseType = new ResponseType(code.authorizationCode);
          var redirectUri = this.buildSuccessRedirectUri(uri, responseType);

          this.updateResponse(response, redirectUri, state);

          return code;
        })

I suggest moving the state assignment to the first then.

best regards

lemagicien00 avatar Nov 06 '20 11:11 lemagicien00