Fix client credentials extraction from Authorization header

Thom Seddon · Thom Seddon · commit 8496087489d2 · 2013-06-23T19:35:20.000+01:00
Fixed by trimming the authorization header
diff --git a/lib/token.js b/lib/token.js
@@ -100,7 +100,7 @@ token.getClientCredentials = function (req) {
 		if (parts.length !== 2) return false;
 
 		var scheme = parts[0],
-			credentials = new Buffer(parts[1], 'base64').toString(),
+			credentials = new Buffer(parts[1], 'base64').toString().replace(/^\s+|\s+$/g, ""),
 			index = credentials.indexOf(':');
 
 		if (scheme !== 'Basic' || index < 0) return false;
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "node-oauth2-server",
 	"description": "Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js",
-	"version": "1.3.0",
+	"version": "1.3.1",
 	"keywords": [
 		"oauth",
 		"oauth2"
diff --git a/test/token.js b/test/token.js
@@ -91,16 +91,60 @@ describe('OAuth2Server.token()', function() {
 				.send({ grant_type: 'password' })
 				.expect(/invalid or missing client_id parameter/i, 400, done);
 		});
+
+		it('should extract credentials from body', function (done) {
+			var app = bootstrap({
+				model: {
+					getClient: function (id, secret, callback) {
+						try {
+							id.should.equal('thom');
+							secret.should.equal('nightworld');
+							callback(false, false);
+						} catch (e) {
+							return done(e);
+						}
+					}
+				},
+				grants: ['password']
+			});
+
+			request(app)
+				.post('/oauth/token')
+				.set('Content-Type', 'application/x-www-form-urlencoded')
+				.send({ grant_type: 'password', client_id: 'thom', client_secret: 'nightworld' })
+				.expect(400, done);
+		});
+
+		it('should extract credentials from header (Basic)', function (done) {
+			var app = bootstrap({
+				model: {
+					getClient: function (id, secret, callback) {
+						try {
+							id.should.equal('thom');
+							secret.should.equal('nightworld');
+							callback(false, false);
+						} catch (e) {
+							return done(e);
+						}
+					}
+				},
+				grants: ['password']
+			});
+
+			request(app)
+				.post('/oauth/token')
+				.set('Authorization', 'Basic dGhvbTpuaWdodHdvcmxkCg==')
+				.set('Content-Type', 'application/x-www-form-urlencoded')
+				.send({ grant_type: 'password' })
+				.expect(400, done);
+		});
 	});
 
 	describe('check client credentials against model', function () {
 		it('should detect invalid client', function (done) {
 			var app = bootstrap({
 				model: {
 					getClient: function (id, secret, callback) {
-						id.should.equal('thom');
-						secret.should.equal('nightworld');
-
 						callback(false, false); // Fake invalid
 					}
 				},

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "node-oauth2-server",`
`3`	`3`	`"description": "Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js",`
`4`		`- "version": "1.3.0",`
	`4`	`+ "version": "1.3.1",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"oauth",`
`7`	`7`	`"oauth2"`