refactor: simpler DCR validate registration access token

panva · panva · commit 5f01edadb81e · 2025-04-17T10:25:18.000+02:00
diff --git a/lib/actions/registration.js b/lib/actions/registration.js
@@ -15,44 +15,42 @@ const FORBIDDEN = [
   'client_id_issued_at',
 ];
 
-const validateRegistrationAccessToken = [
-  async function validateRegistrationAccessToken(ctx, next) {
-    try {
-      const regAccessToken = await ctx.oidc.provider.RegistrationAccessToken.find(
-        ctx.oidc.getAccessToken(),
-      );
-      ctx.assert(regAccessToken, new InvalidToken('registration access token not found'));
-
-      const client = await ctx.oidc.provider.Client.find(ctx.params.clientId);
-
-      if (client?.clientId !== regAccessToken.clientId) {
-        await regAccessToken.destroy();
-        throw new InvalidToken('client mismatch');
-      }
+async function validateRegistrationAccessToken(ctx, next) {
+  try {
+    const regAccessToken = await ctx.oidc.provider.RegistrationAccessToken.find(
+      ctx.oidc.getAccessToken(),
+    );
+    ctx.assert(regAccessToken, new InvalidToken('registration access token not found'));
+
+    const client = await ctx.oidc.provider.Client.find(ctx.params.clientId);
+
+    if (client?.clientId !== regAccessToken.clientId) {
+      await regAccessToken.destroy();
+      throw new InvalidToken('client mismatch');
+    }
 
-      ctx.oidc.entity('Client', client);
-      ctx.oidc.entity('RegistrationAccessToken', regAccessToken);
-    } catch (err) {
-      if (err.expose) {
-        if (err.error_description === 'no access token provided') {
-          appendWWWAuthenticate(ctx, 'Bearer', {
-            realm: ctx.oidc.issuer,
-            scope: err.scope,
-          });
-        } else {
-          appendWWWAuthenticate(ctx, 'Bearer', {
-            realm: ctx.oidc.issuer,
-            error: err.message,
-            error_description: err.error_description,
-          });
-        }
+    ctx.oidc.entity('Client', client);
+    ctx.oidc.entity('RegistrationAccessToken', regAccessToken);
+  } catch (err) {
+    if (err.expose) {
+      if (err.error_description === 'no access token provided') {
+        appendWWWAuthenticate(ctx, 'Bearer', {
+          realm: ctx.oidc.issuer,
+          scope: err.scope,
+        });
+      } else {
+        appendWWWAuthenticate(ctx, 'Bearer', {
+          realm: ctx.oidc.issuer,
+          error: err.message,
+          error_description: err.error_description,
+        });
       }
-      throw err;
     }
+    throw err;
+  }
 
-    await next();
-  },
-];
+  await next();
+}
 
 export const post = [
   noCache,
@@ -171,7 +169,7 @@ export const post = [
 
 export const get = [
   noCache,
-  ...validateRegistrationAccessToken,
+  validateRegistrationAccessToken,
 
   async function clientReadResponse(ctx) {
     if (ctx.oidc.client.noManage) {
@@ -191,7 +189,7 @@ export const get = [
 
 export const put = [
   noCache,
-  ...validateRegistrationAccessToken,
+  validateRegistrationAccessToken,
   parseBody,
 
   async function forbiddenFields(ctx, next) {
@@ -287,7 +285,7 @@ export const put = [
 
 export const del = [
   noCache,
-  ...validateRegistrationAccessToken,
+  validateRegistrationAccessToken,
 
   async function clientRemoveResponse(ctx) {
     if (ctx.oidc.client.noManage) {
