Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: handle empty client_secret with basic and post client auth #610

Merged
merged 3 commits into from
Jul 6, 2023
Merged

fix: handle empty client_secret with basic and post client auth #610

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
abd0646
Support setting client_secret to an empty string when using client_se…
Exidex Jul 6, 2023
5a1570e
fixup! Support setting client_secret to an empty string when using cl…
panva Jul 6, 2023
f3cf928
fixup! Support setting client_secret to an empty string when using cl…
panva Jul 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions lib/helpers/client.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
case 'none':
return { form: { client_id: this.client_id } };
case 'client_secret_post':
if (!this.client_secret) {
if (typeof this.client_secret !== 'string') {
throw new TypeError(
'client_secret_post client authentication method requires a client_secret',
);
Expand Down Expand Up @@ -120,7 +120,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
// > Appendix B, and the encoded value is used as the username; the client
// > password is encoded using the same algorithm and used as the
// > password.
if (!this.client_secret) {
if (typeof this.client_secret !== 'string') {
throw new TypeError(
'client_secret_basic client authentication method requires a client_secret',
);
Expand Down
20 changes: 20 additions & 0 deletions test/client/client_instance.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2253,6 +2253,18 @@ describe('Client', () => {
);
});
});

it('allows client_secret to be empty string', async function () {
const issuer = new Issuer();
const client = new issuer.Client({
client_id: 'an:identifier',
client_secret: '',
token_endpoint_auth_method: 'client_secret_post',
});
expect(await clientInternal.authFor.call(client, 'token')).to.eql({
form: { client_id: 'an:identifier', client_secret: '' },
});
});
});

describe('when client_secret_basic', function () {
Expand Down Expand Up @@ -2288,6 +2300,14 @@ describe('Client', () => {
);
});
});

it('allows client_secret to be empty string', async function () {
const issuer = new Issuer();
const client = new issuer.Client({ client_id: 'an:identifier', client_secret: '' });
expect(await clientInternal.authFor.call(client, 'token')).to.eql({
headers: { Authorization: 'Basic YW4lM0FpZGVudGlmaWVyOg==' },

Check failure

Code scanning / CodeQL

Hard-coded credentials

The hard-coded value "Basic YW4lM0FpZGVudGlmaWVyOg==" is used as [authorization header](1).
});
});
});

describe('when client_secret_jwt', function () {
Expand Down