From be9e8852b81833ec182bde3c2501d3785d674229 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Sat, 25 Nov 2017 08:09:57 +0000 Subject: [PATCH] WIP respond to RPC --- oauth3.core.js | 2 +- well-known/oauth3/index.html | 163 +++++++++++++++++++++-------------- 2 files changed, 99 insertions(+), 66 deletions(-) diff --git a/oauth3.core.js b/oauth3.core.js index 4d5e21b..a4001f5 100644 --- a/oauth3.core.js +++ b/oauth3.core.js @@ -965,7 +965,7 @@ } // TODO params should have response_type indicating json, binary, etc - var result = JSON.parse(OAUTH3._base64.decodeUrlSafe(params.result || params.directives)); + var result = JSON.parse(OAUTH3._base64.decodeUrlSafe(params.data || params.result || params.directives)); // caller will call OAUTH3.hooks.directives.set(providerUri, directives); return result; }); diff --git a/well-known/oauth3/index.html b/well-known/oauth3/index.html index b31b6b9..a3d6c62 100644 --- a/well-known/oauth3/index.html +++ b/well-known/oauth3/index.html @@ -20,74 +20,20 @@ // TODO what about search within hash? var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/]"; var params = OAUTH3.query.parse(window.location.hash || window.location.search); - if (params.debug) { - console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled."); - } + var urlsafe64; + var redirect; + var err; + var oldRpc; + var sub = params.sub || params.subject; + var subData; - console.log(prefix, 'hash||search:'); - console.log(window.location.hash || window.location.search); - - console.log(prefix, 'params:'); - console.log(params); - - var fileWhiteList = [ - "directives.json" - , "scopes.json" ]; - - //Serving arbitrary files/paths is probably not a good idea. - //Let's make sure this is something we want to serve. - if(fileWhiteList.indexOf(params.discoverFile) === -1) { - //Nope! - var redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({ - state: params.state - , error: "No access to requested file: " + params.discoverFile - , error_code: "E_ACCESS_DENIED" - , debug: params.debug || undefined - }); - - console.error(prefix, "Requested file is not listed as a discoverable file:" - , fileWhiteList); - console.log("Redirecting with error: ", redirect) - - if (!params.debug) { - window.location = redirect; - } else { - // yes, we're violating the security lint with purpose - document.body.innerHTML += window.location.host + window.location.pathname - + '

You\'ve passed the \'debug\' parameter so we\'re pausing' - + ' to let you look at logs or whatever it is that you intended to do.' - + '

The requested file was not a discoverable file (see console for details).' - + '

Continue with error redirect: ' + redirect + ''; + function doRedirect(redirect) { + if (params.debug) { + console.log(prefix, 'params.redirect_uri:', params.redirect_uri); + console.log(prefix, 'redirect'); + console.log(redirect); } - return; - } - OAUTH3.request({ url: params.discoverfile }).then(function (resp) { - var urlsafe64 = OAUTH3._base64.encodeUrlSafe(JSON.stringify(resp.data, null, 0)); - var redirect; - var returnParams; - - console.log(prefix, 'file contents'); - console.log(resp); - - console.log(prefix, 'base64'); - console.log(urlsafe64); - - // TODO try postMessage back to redirect_uri domain right here - // window.postMessage(); - - // TODO make sure it's https NOT http - // NOTE: this can be only up to 2,083 characters - console.log(prefix, 'params.redirect_uri:', params.redirect_uri); - redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({ - state: params.state - , directives: urlsafe64 //kept for now, probably should remove this. - , result: urlsafe64 - , debug: params.debug || undefined - }) - - console.log(prefix, 'redirect'); - console.log(redirect); if (!params.debug) { window.location = redirect; } else { @@ -97,6 +43,93 @@ + ' to let you look at logs or whatever it is that you intended to do.' + '

Continue with redirect:
' + redirect + ''; } + } + + function onError(err) { + var redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({ + state: params.state + , error: err.code + , error_description: err.message + , error_uri: err.uri + , debug: params.debug || undefined + }); + + doRedirect(redirect); + } + + function onSuccess(urlsafe64, hasSub) { + if (params.debug) { + console.log(prefix, 'directives'); + console.log(resp); + + console.log(prefix, 'base64'); + console.log(urlsafe64); + } + + // TODO try postMessage back to redirect_uri domain right here + // window.postMessage(); + + // TODO SECURITY make sure it's https NOT http + // NOTE: this can be only up to 2,083 characters + redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({ + state: params.state + , directives: oldRpc ? urlsafe64 : undefined + , data: !oldRpc ? urlsafe64 : undefined + , sub: hasSub && sub || undefined + , debug: params.debug || undefined + }); + + doRedirect(redirect); + } + + if (params.debug) { + console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled."); + + console.log(prefix, 'hash||search:'); + console.log(window.location.hash || window.location.search); + + console.log(prefix, 'params:'); + console.log(params); + } + + if ('rpc' !== params.response_type) { + err = new Error("response_type '" + params.response_type + "' is not supported"); + err.code = "E_RESPONSE_TYPE"; + // TODO err.uri + onError(err); + return; + } + + if (params.action) { + oldRpc = true; + } + + if (/localstorage/i.test(params._scheme)) { + if (sub) { + subData = localStorage.getItem(sub + '@oauth3.org:issuer'); + onSuccess(subData || localStorage.getItem('oauth3.org:issuer'), subData && true); + return; + } + onSuccess(localStorage.getItem('oauth3.org:issuer')); + return; + } + + var fileWhiteList = [ + '.well-known/oauth3/directives.json' + , '.well-known/oauth3/scopes.json' + ]; + + if (-1 === fileWhiteList.indexOf(params._pathname)) { + err = new Error("No access to requested file: " + params._pathname); + err.code = "E_ACCESS_DENIED" + // TODO err.uri + onError(err); + } + + OAUTH3.request({ url: 'directives.json' }).then(function (resp) { + urlsafe64 = OAUTH3._base64.encodeUrlSafe(JSON.stringify(resp.data, null, 0)); + + onSuccess(urlsafe64); }); }());