node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard
verified publisher icon oauthjs

authenticateHandler.handle returning null causes error

Open cancan101 opened this issue 3 years ago • 2 comments

The docs for authenticateHandler say:

If there is no associated user (i.e. the user is not logged in) a falsy value should be returned.

However if I return null I then get the following Error: https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/handlers/authorize-handler.js#L263-L265

cancan101 avatar Jun 20 '22 23:06 cancan101

and perhaps related is there anyway to redirect a non logged in user from within authenticateHandler to a login screen?

cancan101 avatar Jun 20 '22 23:06 cancan101

Noticed this as well. We use the authenticateHandler for the login form that shows up on the authorization server, for auth code flow.... something like this:

app.post('/login', async handler(req, res) {
  await req.oauth.authorize({
    authenticateHandler: {
      async handle() {
        return app.oauth.getUser(req.body.username, req.body.password, req.query)
      },
    },
  })
})

Before, the modal method would return null if a valid user could not be found and we'd get a server error. Now, it throws an invalid grant error if a user can't be found, similar to how it gets handled in the password flow, here:

https://github.com/oauthjs/node-oauth2-server/blob/6d4c98794bc024a8cf93cf9e79f92f93766da9f4/lib/grant-types/password-grant-type.js#L93-L95

So this way it's at least consistent between the two.... IMO, the code in the authorize handler should throw an InvalidGrantError similar to how the password grant type does it, see above ^^

tswaters avatar Oct 12 '22 20:10 tswaters