Skip to content

Commit 596ae33

Browse files
panvapanva
committed
refactor: skip checking www-authenticate if expected status is received
fixes #191
1 parent f1c6950 commit 596ae33

File tree

2 files changed

+44
-14
lines changed

2 files changed

+44
-14
lines changed

src/index.ts

Lines changed: 2 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2725,8 +2725,6 @@ export async function processPushedAuthorizationResponse(
27252725
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
27262726
}
27272727

2728-
checkAuthenticationChallenges(response)
2729-
27302728
await checkOAuthBodyError(response, 201, 'Pushed Authorization Request Endpoint')
27312729

27322730
assertReadableResponse(response)
@@ -2775,6 +2773,8 @@ async function parseOAuthResponseErrorBody(response: Response): Promise<OAuth2Er
27752773

27762774
async function checkOAuthBodyError(response: Response, expected: number, label: string) {
27772775
if (response.status !== expected) {
2776+
checkAuthenticationChallenges(response)
2777+
27782778
let err: OAuth2Error | undefined
27792779
if ((err = await parseOAuthResponseErrorBody(response))) {
27802780
await response.body?.cancel()
@@ -3452,8 +3452,6 @@ async function processGenericAccessTokenResponse(
34523452
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
34533453
}
34543454

3455-
checkAuthenticationChallenges(response)
3456-
34573455
await checkOAuthBodyError(response, 200, 'Token Endpoint')
34583456

34593457
assertReadableResponse(response)
@@ -4373,8 +4371,6 @@ export async function processRevocationResponse(response: Response): Promise<und
43734371
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
43744372
}
43754373

4376-
checkAuthenticationChallenges(response)
4377-
43784374
await checkOAuthBodyError(response, 200, 'Revocation Endpoint')
43794375

43804376
return undefined
@@ -4508,8 +4504,6 @@ export async function processIntrospectionResponse(
45084504
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
45094505
}
45104506

4511-
checkAuthenticationChallenges(response)
4512-
45134507
await checkOAuthBodyError(response, 200, 'Introspection Endpoint')
45144508

45154509
let json: JsonObject
@@ -5592,8 +5586,6 @@ export async function processDeviceAuthorizationResponse(
55925586
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
55935587
}
55945588

5595-
checkAuthenticationChallenges(response)
5596-
55975589
await checkOAuthBodyError(response, 200, 'Device Authorization Endpoint')
55985590

55995591
assertReadableResponse(response)
@@ -6172,8 +6164,6 @@ export async function processBackchannelAuthenticationResponse(
61726164
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
61736165
}
61746166

6175-
checkAuthenticationChallenges(response)
6176-
61776167
await checkOAuthBodyError(response, 200, 'Backchannel Authentication Endpoint')
61786168

61796169
assertReadableResponse(response)
@@ -6367,8 +6357,6 @@ export async function processDynamicClientRegistrationResponse(
63676357
throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE)
63686358
}
63696359

6370-
checkAuthenticationChallenges(response)
6371-
63726360
await checkOAuthBodyError(response, 201, 'Dynamic Client Registration Endpoint')
63736361

63746362
assertReadableResponse(response)

test/issue-191.test.ts

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
// see https://github.com/panva/oauth4webapi/issues/191
2+
3+
import test from 'ava'
4+
import { issuer, client, getResponse } from './_setup.js'
5+
import * as lib from '../src/index.js'
6+
7+
const questionableResponse = () =>
8+
getResponse(JSON.stringify({ access_token: 'foo', token_type: 'bearer', scope: '' }), {
9+
headers: new Headers({
10+
'content-type': 'application/json',
11+
'WWW-Authenticate': 'Key realm="kong"',
12+
}),
13+
})
14+
15+
const errorResponse = () =>
16+
getResponse(JSON.stringify({ access_token: 'foo', token_type: 'bearer', scope: '' }), {
17+
headers: new Headers({
18+
'content-type': 'application/json',
19+
'WWW-Authenticate': 'Key realm="kong"',
20+
}),
21+
status: 400,
22+
})
23+
24+
test('only checks www-authenticate when the status code is invalid', async (t) => {
25+
for (const req of [
26+
lib.processAuthorizationCodeResponse(issuer, client, questionableResponse()),
27+
lib.processDeviceCodeResponse(issuer, client, questionableResponse()),
28+
lib.processClientCredentialsResponse(issuer, client, questionableResponse()),
29+
lib.processRefreshTokenResponse(issuer, client, questionableResponse()),
30+
]) {
31+
await t.notThrowsAsync(() => req)
32+
}
33+
34+
for (const req of [
35+
lib.processAuthorizationCodeResponse(issuer, client, errorResponse()),
36+
lib.processDeviceCodeResponse(issuer, client, errorResponse()),
37+
lib.processClientCredentialsResponse(issuer, client, errorResponse()),
38+
lib.processRefreshTokenResponse(issuer, client, errorResponse()),
39+
]) {
40+
await t.throwsAsync(() => req, { code: 'OAUTH_WWW_AUTHENTICATE_CHALLENGE' })
41+
}
42+
})

0 commit comments

Comments
 (0)