From ea788bcb7631bf39a0c3c71683bdf5a8ae3943d8 Mon Sep 17 00:00:00 2001
From: tigerbot <seth.gibelyou@daplie.com>
Date: Mon, 3 Jul 2017 12:26:12 -0600
Subject: [PATCH] reduced duplicate parsing of location

---
 js/issuer.js | 63 +++++++++++++++++++++-------------------------------
 1 file changed, 25 insertions(+), 38 deletions(-)

diff --git a/js/issuer.js b/js/issuer.js
index 08c630b..bc575d2 100644
--- a/js/issuer.js
+++ b/js/issuer.js
@@ -9,7 +9,7 @@ $(function () {
 
   var OAUTH3 = window.OAUTH3;
   var CONFIG = {
-    host: OAUTH3.utils.clientUri(window.location)
+    host: OAUTH3.clientUri(window.location)
   , directives: null // will be populated before the login button appears
   };
   var loc = window.location;
@@ -20,10 +20,6 @@ $(function () {
   };
   $('.js-scopes-container').html('');
 
-  /*
-  OAUTH3._hooks.sessions.all = function (providerUri) {
-  };
-  */
   OAUTH3._hooks = { sessions: {} };
   OAUTH3._hooks.sessions.get = function (providerUri, id) {
     return JSON.parse(window.localStorage.getItem('session-' + providerUri + (id || '')) || 'null');
@@ -35,7 +31,7 @@ $(function () {
   };
 
   // TODO let query.parse do location.hash || location.search || location
-  var clientParams = OAUTH3.query.parse(window.location.hash || window.location.search);
+  var clientParams = OAUTH3.query.parse(loc.hash || loc.search);
   if (/authorization_dialog/.test(window.location.href)) {
     // OAUTH3.lintClientParams(params, window)
     // OAUTH3.normalizeClientParams(params, window)
@@ -58,12 +54,12 @@ $(function () {
       + "'" + OAUTH3.url.normalize(window.document.referrer) + "'"
       );
     }
-    if (clientParams.client_uri) {
+    if (clientParams.client_uri && clientParams.client_uri !== clientParams.client_id) {
       console.warn("'client_id' should be used instead of 'client_uri'");
     }
     if (!(clientParams.client_id || clientParams.client_uri)) {
-      window.alert("'response_type' must exist and be either 'token' (implicit flow) or 'code' (authorization flow)");
-      console.error("'response_type' must exist and be either 'token' (implicit flow) or 'code' (authorization flow)");
+      window.alert("'client_id' must exist as the uri identifying the client");
+      console.error("'client_id' must exist as the uri identifying the client");
       clientParams.client_id = clientParams.client_uri = OAUTH3.url.normalize(window.document.referrer);
     }
     if (!clientParams.redirect_uri) {
@@ -99,11 +95,10 @@ $(function () {
   }
 
   function getGrants(session) {
-    var clientObj = OAUTH3.query.parse(loc.hash || loc.search);
-    var clientLogo = OAUTH3.url.normalize(clientObj.client_uri) // optional relative logo ?
+    var clientLogo = OAUTH3.url.normalize(clientParams.client_uri) // optional relative logo ?
       + '/.well-known/oauth3/logo-128x128.png'
       ;
-    var callbackUrl;
+
     // TODO put in directives.json or similar
     var grantDescriptions = {
       'oauth3_authn': "Basic secure authentication"
@@ -127,10 +122,10 @@ $(function () {
     $('.js-client-logo').attr('src', clientLogo);
     //$('.js-user-avatar').attr('src', userAvatar);
 
-    return OAUTH3.authz.scopes(CONFIG.host, session, clientObj).then(function (scopes) {
+    return OAUTH3.authz.scopes(CONFIG.host, session, clientParams).then(function (scopes) {
       if (!scopes.pending.length) {
         // looks like we've done all of this before
-        OAUTH3.authz.redirectWithToken(CONFIG.host, session, clientObj, scopes);
+        OAUTH3.authz.redirectWithToken(CONFIG.host, session, clientParams, scopes);
         return;
       }
 
@@ -138,10 +133,12 @@ $(function () {
       // TODO secure iFrame from click-jacking by requiring input?
       // ex: input.security-code[type="text"].val(Math.random()); input.js-verify-code[placeholder="Type what you see"]
       if (OAUTH3._browser.isIframe()) {
-        callbackUrl = clientObj.redirect_uri + '#state=' + clientObj.state + '&error=access_denied&error_description='
-          + encodeURIComponent("You're requesting permission in an iframe, but the permissions have not yet been granted")
-          + '&error_uri=' + encodeURIComponent('https://oauth3.org/docs/errors/#E_IFRAME_DENIED');
-        location.href = callbackUrl;
+        location.href = clientParams.redirect_uri +'#'+ OAUTH3.query.stringify({
+          state: clientParams.state
+        , error: 'access_denied'
+        , error_description: encodeURIComponent("You're requesting permission in an iframe, but the permissions have not yet been granted")
+        , error_uri: encodeURIComponent('https://oauth3.org/docs/errors/#E_IFRAME_DENIED')
+        });
         return;
       }
 
@@ -331,8 +328,6 @@ $(function () {
     });
 
     getSession(CONFIG.host).then(function (session) {
-      var clientParams = OAUTH3.query.parse(loc.hash || loc.search);
-
       return OAUTH3.authz.scopes(CONFIG.host, session, clientParams).then(function (scopes) {
         scopes.new = acceptedScopes;
         return OAUTH3.authz.redirectWithToken(CONFIG.host, session, clientParams, scopes);
@@ -346,21 +341,17 @@ $(function () {
     ev.preventDefault();
     ev.stopPropagation();
 
-    var loginWinObj = OAUTH3.query.parse(loc.hash || loc.search);
-
     var denyObj = {
       error: 'access_denied'
     , error_description: 'The user has denied access.'
     , error_uri: 'https://' + CONFIG.host + '/.well-known/oauth3/errors.html#/?error=access_denied'
-    , state: loginWinObj.state
-    , scope: loginWinObj.scope
+    , state: clientParams.state
+    , scope: clientParams.scope
     };
 
-    window.location = loginWinObj.redirect_uri + '#' + OAUTH3.query.stringify(denyObj);
+    window.location = clientParams.redirect_uri + '#' + OAUTH3.query.stringify(denyObj);
   };
   util.handleLogout = function () {
-    var clientParams = OAUTH3.query.parse(loc.hash || loc.search);
-
     localStorage.clear();
 
     clientParams.redirect_uri += '?' + OAUTH3.query.stringify({
@@ -397,16 +388,17 @@ $(function () {
     return getSession(CONFIG.host).then(function (session) {
       return getGrants(session);
     }, function (e) {
-      var clientObj = OAUTH3.query.parse(loc.hash || loc.search);
       // TODO select the providers the client wants to show
       // providers=daplie.com,facebook.com,google.com // etc
       // TODO let the client specify switch_user
       // TODO let the client specify relogin if stale
       if (OAUTH3._browser.isIframe()) {
-        var callbackUrl = clientObj.redirect_uri + '#state=' + clientObj.state + '&error=access_denied&error_description='
-          + encodeURIComponent("You're requesting permission in an iframe, but the user is not yet authenticated")
-          + '&error_uri=' + encodeURIComponent('https://oauth3.org/docs/errors/#E_IFRAME_DENIED');
-        location.href = callbackUrl;
+        location.href = clientParams.redirect_uri +'#'+ OAUTH3.query.stringify({
+          state: clientParams.state
+        , error: 'access_denied'
+        , error_description: encodeURIComponent("You're requesting permission in an iframe, but the user is not yet authenticated")
+        , error_uri: encodeURIComponent('https://oauth3.org/docs/errors/#E_IFRAME_DENIED')
+        });
       }
       if (clientParams.subject) {
         $('.js-oauth3-email').val(clientParams.subject);
@@ -419,10 +411,7 @@ $(function () {
   }
 
   // Session initialization
-  return OAUTH3.discover(
-    OAUTH3.clientUri(window.location)
-  , { client_uri: OAUTH3.clientUri(window.location) }
-  ).then(function (directives) {
+  return OAUTH3.discover(CONFIG.host, { client_uri: CONFIG.host }).then(function (directives) {
     // TODO cache directives in memory (and storage)
     CONFIG.directives = directives;
     directives.issuer = directives.issuer || (window.location.host + window.location.pathname).replace(/\/$/, '');
@@ -439,7 +428,5 @@ $(function () {
     }
 
     $('body').addClass('in');
-
   });
-
 });