Allow any valid URI for extension grants

thomseddon · thomseddon · commit c169c1bb2e3c · 2015-01-26T23:21:00.000Z
URI as per RFC 3986 (http://tools.ietf.org/html/rfc3986#section-3)
diff --git a/Readme.md b/Readme.md
@@ -266,7 +266,7 @@ The spec does not actually require that you revoke the old token - hence this is
 
 ## Extension Grants
 You can support extension/custom grants by implementing the extendedGrant method as outlined above.
-Any requests that begin with http(s):// (as [defined in the spec](http://tools.ietf.org/html/rfc6749#section-4.5)) will be passed to it for you to handle.
+Any grant type that is a valid URI will be passed to it for you to handle (as [defined in the spec](http://tools.ietf.org/html/rfc6749#section-4.5)).
 You can access the grant type via the first argument and you should pass back supported as `false` if you do not support it to ensure a consistent (and compliant) response.
 
 ## Example using the `password` grant type
diff --git a/lib/grant.js b/lib/grant.js
@@ -151,7 +151,8 @@ function checkClient (done) {
  * @this   OAuth
  */
 function checkGrantType (done) {
-  if (this.grantType.match(/^http(s|):\/\//) && this.model.extendedGrant) {
+  if (this.grantType.match(/^[a-zA-Z][a-zA-Z0-9+.-]+:/)
+      && this.model.extendedGrant) {
     return useExtendedGrant.call(this, done);
   }
 
diff --git a/lib/oauth2server.js b/lib/oauth2server.js
@@ -67,7 +67,7 @@ OAuth2Server.prototype.authorise = function () {
   var self = this;
 
   return function (req, res, next) {
-    new Authorise(self, req, next);
+    return new Authorise(self, req, next);
   };
 };
 
@@ -213,7 +213,9 @@ OAuth2Server.prototype.lockdown = function (app) {
 
   if (app.routes) {
     for (var method in app.routes) {
-      app.routes[method].callbacks.forEach(lockdownExpress3);
+      app.routes[method].forEach(function (route) {
+        lockdownExpress3(route.callbacks);
+      });
     }
   } else {
     app._router.stack.forEach(lockdownExpress4);
diff --git a/test/grant.extended.js b/test/grant.extended.js
@@ -129,9 +129,9 @@ describe('Granting with extended grant type', function () {
         extendedGrant: function (grantType, req, callback) {
           callback(false, true, { id: 3 });
         },
-        saveAccessToken: function () {
-          done(); // That's enough
-        }
+        saveAccessToken: function (token, clientId, expires, user, cb) {
+          cb();
+        },
       },
       grants: ['http://custom.com']
     });
@@ -146,4 +146,34 @@ describe('Granting with extended grant type', function () {
       })
       .expect(200, done);
   });
+
+  it('should allow any valid URI valid request', function (done) {
+    var app = bootstrap({
+      model: {
+        getClient: function (id, secret, callback) {
+          callback(false, true);
+        },
+        grantTypeAllowed: function (clientId, grantType, callback) {
+          callback(false, true);
+        },
+        extendedGrant: function (grantType, req, callback) {
+          callback(false, true, { id: 3 });
+        },
+        saveAccessToken: function (token, clientId, expires, user, cb) {
+          cb();
+        },
+      },
+      grants: ['urn:custom:grant']
+    });
+
+    request(app)
+      .post('/oauth/token')
+      .set('Content-Type', 'application/x-www-form-urlencoded')
+      .send({
+        grant_type: 'urn:custom:grant',
+        client_id: 'thom',
+        client_secret: 'nightworld'
+      })
+      .expect(200, done);
+  });
 });
diff --git a/test/lockdown.js b/test/lockdown.js
@@ -20,6 +20,7 @@ var express = require('express'),
   should = require('should');
 
 var oauth2server = require('../');
+var Authorise = require('../lib/authorise');
 
 var bootstrap = function (oauthConfig) {
   var app = express();
@@ -86,4 +87,48 @@ describe('Lockdown pattern', function() {
       .get('/public')
       .expect(200, /hello/i, done);
   });
+
+  describe('in express 3', function () {
+    var app, privateAction, publicAction;
+
+    beforeEach(function () {
+      privateAction = function () {};
+      publicAction = function () {};
+
+      // mock express 3 app
+      app = {
+        routes: { get: [] }
+      };
+
+      app.oauth = oauth2server({ model: {} });
+      app.routes.get.push({ callbacks: [ privateAction ] });
+      app.routes.get.push({ callbacks: [ app.oauth.bypass, publicAction ] })
+      app.oauth.lockdown(app);
+    });
+
+    function mockRequest(authoriseFactory) {
+      var req = {
+        get: function () {},
+        query: { access_token: { expires: null } }
+      };
+      var next = function () {};
+
+      app.oauth.model.getAccessToken = function (t, c) { c(null, t); };
+
+      return authoriseFactory(req, null, next);
+    }
+
+    it('adds authorise to non-bypassed routes', function () {
+      var authorise = mockRequest(app.routes.get[0].callbacks[0]);
+      authorise.should.be.an.instanceOf(Authorise);
+    });
+
+    it('runs non-bypassed routes after authorise', function () {
+      app.routes.get[0].callbacks[1].should.equal(privateAction);
+    });
+
+    it('removes oauth.bypass from bypassed routes', function () {
+      app.routes.get[1].callbacks[0].should.equal(publicAction);
+    });
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,8 @@ function checkClient (done) {`
`151`	`151`	`* @this OAuth`
`152`	`152`	`*/`
`153`	`153`	`function checkGrantType (done) {`
`154`		`- if (this.grantType.match(/^http(s\|):\/\//) && this.model.extendedGrant) {`
	`154`	`+ if (this.grantType.match(/^[a-zA-Z][a-zA-Z0-9+.-]+:/)`
	`155`	`+ && this.model.extendedGrant) {`
`155`	`156`	`return useExtendedGrant.call(this, done);`
`156`	`157`	`}`
`157`	`158`