Merge pull request #41 from solid/consent-screen

Consent screen update

Author: jaxoncreed

src/handlers/login-consent-request.js

@@ -1,5 +1,8 @@
 'use strict'
 
+const AuthResponseSent = require('../errors/auth-response-sent')
+const url = require('url')
+
 class LoginConsentRequest {
   constructor (options) {
     this.opAuthRequest = options.opAuthRequest
@@ -62,15 +65,18 @@ class LoginConsentRequest {
   static obtainConsent (consentRequest) {
     let { opAuthRequest, clientId } = consentRequest
 
+    const parsedAppOrigin = url.parse(consentRequest.opAuthRequest.params.redirect_uri)
+    const appOrigin = `${parsedAppOrigin.protocol}//${parsedAppOrigin.host}`
+
     // Consent for the local RP client (the home pod) is implied
-    if (consentRequest.isLocalRpClient(clientId)) {
+    if (consentRequest.isLocalRpClient(appOrigin)) {
       return Promise.resolve()
         .then(() => { consentRequest.markConsentSuccess(opAuthRequest) })
         .then(() => opAuthRequest)
     }
 
     // Check if user has submitted this from a Consent page
-    if (consentRequest.params.consent) {
+    if (consentRequest.hasAlreadyConsented(appOrigin)) {
       return consentRequest.saveConsentForClient(clientId)
         .then(() => { consentRequest.markConsentSuccess(opAuthRequest) })
         .then(() => opAuthRequest)
@@ -82,7 +88,7 @@ class LoginConsentRequest {
         if (priorConsent) {
           consentRequest.markConsentSuccess(opAuthRequest)
         } else {
-          consentRequest.renderConsentPage()
+          consentRequest.redirectToConsent()
         }
       })
       .then(() => opAuthRequest)
@@ -95,10 +101,13 @@ class LoginConsentRequest {
     return this.params['client_id']
   }
 
-  isLocalRpClient (clientId) {
-    let host = this.opAuthRequest.host || {}
+  isLocalRpClient (appOrigin) {
+    return this.opAuthRequest.req.app.locals.ldp.serverUri === appOrigin
+  }
 
-    return !!clientId && clientId === host.localClientId
+  hasAlreadyConsented (appOrigin) {
+    return this.opAuthRequest.req.session.consentedOrigins &&
+      this.opAuthRequest.req.session.consentedOrigins.includes(appOrigin)
   }
 
   checkSavedConsentFor (opAuthRequest) {
@@ -114,11 +123,21 @@ class LoginConsentRequest {
     return Promise.resolve(clientId)
   }
 
-  renderConsentPage () {
-    let { response, params, opAuthRequest } = this
+  redirectToConsent (authRequest) {
+    let { opAuthRequest } = this
+    let consentUrl = url.parse('/consent')
+    consentUrl.query = opAuthRequest.req.query
+
+    consentUrl = url.format(consentUrl)
+    opAuthRequest.subject = null
+
+    opAuthRequest.res.redirect(consentUrl)
+
+    this.signalResponseSent()
+  }
 
-    response.render('auth/consent', params)
-    opAuthRequest.headersSent = true
+  signalResponseSent () {
+    throw new AuthResponseSent('User redirected')
   }
 }
 

src/host-api.js

@@ -83,10 +83,13 @@ function initSubjectClaim (authRequest, webId) {
 
 function obtainConsent (authRequest) {
   let debug = authRequest.host.debug || console.error.bind(console)
-  let skipConsent = true
+  let skipConsent = false
 
   return LoginConsentRequest.handle(authRequest, skipConsent)
     .catch(error => {
+      if (error instanceof AuthResponseSent) {
+        throw error
+      }
       debug('Error in auth Consent step: ', error)
     })
 }

test/unit/login-consent-request.js

@@ -13,6 +13,30 @@ const HttpMocks = require('node-mocks-http')
 
 const LoginConsentRequest = require('../../src/handlers/login-consent-request')
 
+function createOpAuthRequest (overwrite) {
+  return Object.assign({
+    req: {
+      body: {},
+      app: {
+        locals: {
+          ldp: {
+            serverUri: 'https://pod.example'
+          }
+        }
+      },
+      session: {
+        consentedOrigins: ['https://example.com']
+      }
+    },
+    res: HttpMocks.createResponse(),
+    subject: {},
+    params: {
+      redirect_uri: 'https://example.com'
+    },
+    host: {}
+  }, overwrite)
+}
+
 describe('LoginConsentRequest', () => {
   describe('constructor()', () => {
     it('should initialize a new instance', () => {
@@ -70,8 +94,7 @@ describe('LoginConsentRequest', () => {
 
   describe('handle()', () => {
     it('should return the opAuthRequest object', () => {
-      let res = HttpMocks.createResponse()
-      let opAuthRequest = { req: { body: {} }, res, subject: {} }
+      let opAuthRequest = createOpAuthRequest()
 
       return LoginConsentRequest.handle(opAuthRequest)
         .then(returnedRequest => {
@@ -80,8 +103,7 @@ describe('LoginConsentRequest', () => {
     })
 
     it('should invoke obtainConsent()', () => {
-      let res = HttpMocks.createResponse()
-      let opAuthRequest = { req: { body: {} }, res, subject: {} }
+      let opAuthRequest = createOpAuthRequest()
 
       let obtainConsent = sinon.spy(LoginConsentRequest, 'obtainConsent')
 
@@ -93,8 +115,7 @@ describe('LoginConsentRequest', () => {
     })
 
     it('should pass through opAuthRequest if skipConsent is set', () => {
-      let res = HttpMocks.createResponse()
-      let opAuthRequest = { req: { body: {} }, res, subject: {} }
+      let opAuthRequest = createOpAuthRequest()
       let skipConsent = true
 
       return LoginConsentRequest.handle(opAuthRequest, skipConsent)
@@ -103,16 +124,6 @@ describe('LoginConsentRequest', () => {
           LoginConsentRequest.obtainConsent.resetHistory()
         })
     })
-
-    it('should not invoke obtainConsent() if subject is missing', () => {
-      let res = HttpMocks.createResponse()
-      let opAuthRequest = { req: { body: {} }, res }
-
-      return LoginConsentRequest.handle(opAuthRequest)
-        .then(() => {
-          expect(LoginConsentRequest.obtainConsent).to.not.have.been.called()
-        })
-    })
   })
 
   describe('clientId getter', () => {
@@ -130,52 +141,46 @@ describe('LoginConsentRequest', () => {
   describe('isLocalRpClient()', () => {
     it('should be false if host has no local client initialized', () => {
       let params = { 'client_id': '1234' }
-      let response = HttpMocks.createResponse()
-      let opAuthRequest = { host: {} }
+      let res = HttpMocks.createResponse()
+      let opAuthRequest = createOpAuthRequest({ res })
 
-      let request = new LoginConsentRequest({ params, response, opAuthRequest })
+      let request = new LoginConsentRequest({ params, res, opAuthRequest })
 
       expect(request.isLocalRpClient('1234')).to.be.false()
     })
 
     it('should be false if params has no client id', () => {
       let params = {}
-      let response = HttpMocks.createResponse()
-      let opAuthRequest = {
-        host: {}
-      }
+      let res = HttpMocks.createResponse()
+      let opAuthRequest = createOpAuthRequest({ res })
 
-      let request = new LoginConsentRequest({ params, response, opAuthRequest })
+      let request = new LoginConsentRequest({ params, res, opAuthRequest })
 
       expect(request.isLocalRpClient(undefined)).to.be.false()
     })
 
-    it('should be false if host local client id does not match params', () => {
-      let params = { 'client_id': '1234' }
-      let response = HttpMocks.createResponse()
-      let opAuthRequest = {
-        host: {
-          localClientId: '5678'
-        }
-      }
+    it('should be false if host local app origin does not equal param server uri', () => {
+      let params = {}
+      let res = HttpMocks.createResponse()
+      let opAuthRequest = createOpAuthRequest({
+        res
+      })
 
-      let request = new LoginConsentRequest({ params, response, opAuthRequest })
+      let request = new LoginConsentRequest({ params, res, opAuthRequest })
 
-      expect(request.isLocalRpClient('1234')).to.be.false()
+      expect(request.isLocalRpClient('https://example.com')).to.be.false()
     })
 
-    it('should be true if host local client id equals param client_id', () => {
-      let params = { 'client_id': '1234' }
-      let response = HttpMocks.createResponse()
-      let opAuthRequest = {
-        host: {
-          localClientId: '1234'
-        }
-      }
+    it('should be true if host local app origin equals param server uri', () => {
+      let params = {}
+      let res = HttpMocks.createResponse()
+      let opAuthRequest = createOpAuthRequest({
+        res
+      })
 
-      let request = new LoginConsentRequest({ params, response, opAuthRequest })
+      let request = new LoginConsentRequest({ params, res, opAuthRequest })
 
-      expect(request.isLocalRpClient('1234')).to.be.true()
+      expect(request.isLocalRpClient('https://pod.example')).to.be.true()
     })
   })
 
@@ -188,7 +193,12 @@ describe('LoginConsentRequest', () => {
       beforeEach(() => {
         req = { body: { scope: 'openid', client_id: clientId } }
         res = HttpMocks.createResponse()
-        opAuthRequest = { req, res, host }
+        opAuthRequest = createOpAuthRequest({ res, host })
+        opAuthRequest = Object.assign(opAuthRequest, {
+          req: Object.assign(opAuthRequest.req, {
+            body: req.body
+          })
+        })
       })
 
       it('should mark successful consent automatically', () => {
@@ -221,7 +231,12 @@ describe('LoginConsentRequest', () => {
       beforeEach(() => {
         req = { body: { consent: true, scope: 'openid', client_id: clientId } }
         res = HttpMocks.createResponse()
-        opAuthRequest = { req, res, host }
+        opAuthRequest = createOpAuthRequest({ res, host })
+        opAuthRequest = Object.assign(opAuthRequest, {
+          req: Object.assign(opAuthRequest.req, {
+            body: req.body
+          })
+        })
       })
 
       it('should call saveConsentForClient()', () => {
@@ -270,19 +285,15 @@ describe('LoginConsentRequest', () => {
       beforeEach(() => {
         req = { body: { scope: 'openid' } }
         res = HttpMocks.createResponse()
-        opAuthRequest = { req, res }
-      })
-
-      it('should check for previously saved consent', () => {
-        let request = LoginConsentRequest.from(opAuthRequest)
-
-        request.checkSavedConsentFor = sinon.mock()
-          .returns(Promise.resolve(false))
-
-        return LoginConsentRequest.obtainConsent(request)
-          .then(() => {
-            expect(request.checkSavedConsentFor).to.have.been.called()
+        opAuthRequest = createOpAuthRequest({ res })
+        opAuthRequest = Object.assign(opAuthRequest, {
+          req: Object.assign(opAuthRequest.req, {
+            session: {
+              consentedOrigins: []
+            },
+            body: req.body
           })
+        })
       })
 
       describe('if user consent has been previously saved', () => {
@@ -305,16 +316,17 @@ describe('LoginConsentRequest', () => {
       })
 
       describe('if user consent has NOT been previously saved', () => {
-        it('should call renderConsentPage()', () => {
+        it('should call redirectToConsent()', () => {
           let request = LoginConsentRequest.from(opAuthRequest)
 
           request.checkSavedConsentFor = sinon.mock()
             .returns(Promise.resolve(false))
           request.response.render = sinon.mock()
 
-          let renderConsentPage = sinon.spy(request, 'renderConsentPage')
+          let renderConsentPage = sinon.spy(request, 'redirectToConsent')
 
           return LoginConsentRequest.obtainConsent(request)
+            .catch(() => {})
             .then(() => {
               expect(renderConsentPage).to.have.been.called()
             })
@@ -328,6 +340,7 @@ describe('LoginConsentRequest', () => {
           request.response.render = sinon.mock()
 
           return LoginConsentRequest.obtainConsent(request)
+            .catch((opAuthRequest) => opAuthRequest)
             .then(opAuthRequest => {
               expect(opAuthRequest.consent).to.not.exist()
               expect(opAuthRequest.scope).to.not.exist()
@@ -337,37 +350,26 @@ describe('LoginConsentRequest', () => {
     })
   })
 
-  describe('renderConsentPage()', () => {
-    it('should call res.render', () => {
-      let req = { body: {} }
+  describe('redirectToConsent()', () => {
+    it('should call res.redirect', () => {
       let res = HttpMocks.createResponse()
 
-      let render = sinon.stub(res, 'render')
+      let redirect = sinon.stub(res, 'redirect')
 
-      let opAuthRequest = { req, res }
-      let request = LoginConsentRequest.from(opAuthRequest)
-
-      return LoginConsentRequest.obtainConsent(request)
-        .then(() => {
-          expect(render).to.have.been.calledWith('auth/consent')
+      let opAuthRequest = createOpAuthRequest({ res })
+      opAuthRequest = Object.assign(opAuthRequest, {
+        req: Object.assign(opAuthRequest.req, {
+          session: {
+            consentedOrigins: []
+          }
         })
-    })
-
-    it('should set the headerSent property on opAuthRequest', () => {
-      let req = { body: {} }
-      let res = HttpMocks.createResponse()
-
-      sinon.stub(res, 'render')
-
-      let opAuthRequest = { req, res }
+      })
       let request = LoginConsentRequest.from(opAuthRequest)
 
-      request.checkSavedConsentFor = sinon.mock()
-        .returns(Promise.resolve(false))
-
       return LoginConsentRequest.obtainConsent(request)
-        .then(opAuthRequest => {
-          expect(opAuthRequest.headersSent).to.be.true()
+        .catch(() => {})
+        .then(() => {
+          expect(redirect).to.have.been.called()
         })
     })
   })