Add option to manually checking transaction state #27
Conversation
dafortune
force-pushed
the
allow-manual-transaction-checking
branch
from
8063ad0 to
a241a1d
Compare
lib/transaction/index.js
Outdated
| callback(null, verificationStep); | ||
| }); | ||
| }; | ||
|
|
||
| transaction.prototype.getAuthVerficationStep = function getAuthVerficationStep() { |
There was a problem hiding this comment.
This can be easily converted in @nikolaseu proposal of adding the method verifyAuth to the transaction, just call getAuthVerficationStep().verify(...) on that method.
There was a problem hiding this comment.
Typo in "getAuthVerficationStep()", missing "i" in verification
| return self.authVerificationStep; | ||
| }; | ||
|
|
||
| transaction.prototype.getEnrollmentConfirmationStep = function getEnrollmentConfirmationStep() { |
There was a problem hiding this comment.
This can be easily converted in @nikolaseu proposal of adding the method confirmEnrollment to the transaction, just call getEnrollmentConfirmationStep().confirm(...) on that method.
| @@ -13,6 +14,8 @@ exports.create = function create(options) { | |||
|
|
|||
| if (transport === 'polling') { | |||
There was a problem hiding this comment.
Need to replace this by @thoper proposed name.
There was a problem hiding this comment.
We support both, internally I keep using transport not to spread the changes.
lib/transaction/index.js
Outdated
| throw new errors.UnexpectedInputError('Expected data to be an object'); | ||
| } | ||
|
|
||
| if (typeof VALID_METHODS.indexOf(data.method) < 0) { |
There was a problem hiding this comment.
Add test for invalid method in the serialized transaction
lib/transaction/index.js
Outdated
| throw new errors.UnexpectedInputError('Expected data to be an object'); | ||
| } | ||
|
|
||
| if (typeof VALID_METHODS.indexOf(data.method) < 0) { |
There was a problem hiding this comment.
Add test for invalid method in the serialized transaction
| @@ -44,7 +55,10 @@ enrollmentConfirmationStep.prototype.confirm = function confirm(data) { | |||
| }; | |||
|
|
|||
| var confirmTask = function confirmTask(done) { | |||
| self.strategy.confirm(data, done); | |||
| self.strategy.confirm(data, function confirmationDataAccepted(err, result) { | |||
| acceptedCallback(err, { recoveryCode: self.enrollmentAttempt.getRecoveryCode() }); | |||
There was a problem hiding this comment.
passing the recovery code here don't quite convince me, but, how are you going to get the recovery code otherwise... making self.enrollmentAttempt.getRecoveryCode() public seems like opening the door too much considering that we are going to change how enrollmentAttempt works.
lib/transaction/index.js
Outdated
| var self = this; | ||
|
|
||
| if (!self.authVerificationStep) { | ||
| throw new errors.InvalidStateError('cannot get enrollment confirmation ' + |
There was a problem hiding this comment.
Consistent capitalization -- "Cannot get..."
| @@ -57,14 +67,27 @@ authVerificationStep.prototype.verify = function verify(data) { | |||
| verificationPayload = verificationPayload || {}; | |||
|
|
|||
| if (err) { | |||
| if (acceptedCallback) { | |||
There was a problem hiding this comment.
can this ever be false? I see this before
acceptedCallback = acceptedCallback || function noop() {};
There was a problem hiding this comment.
Good point forgot to remove that
| // accepted by the service provider, on the other hand | ||
| // we still need to wait for (loginOrRejectTask) to trigger the event. | ||
| // loginOrRejectTask might never be triggered in case of transport=manual | ||
| acceptedCallback(null, payload); |
There was a problem hiding this comment.
Seems like this actually needs to be always there, so the previous if is not required ?
lib/transaction/index.js
Outdated
| callback(null, verificationStep); | ||
| }); | ||
| }; | ||
|
|
||
| transaction.prototype.getAuthVerficationStep = function getAuthVerficationStep() { |
There was a problem hiding this comment.
Typo in "getAuthVerficationStep()", missing "i" in verification
|
|
||
| ```js | ||
| // WARNING 1: This is an advanced example, before using it consider if the | ||
| // hosted-page option does not match you use case, they are easier to implement |
There was a problem hiding this comment.
It is your environment not yours enrollment. Good catch :)
docs/server-side.md
Outdated
| ```js | ||
| // WARNING 1: This is an advanced example, before using it consider if the | ||
| // hosted-page option does not match you use case, they are easier to implement | ||
| // and better suitted for most use cases. |
| // WARNING 2: POST Methods require CSRF protection, don't forget to add them or | ||
| // you will be at risk of CSRF attacks, this example left them out for simplicity | ||
| // reasons and because there are many different ways to add them that | ||
| // are really specific to your enrollment. |
There was a problem hiding this comment.
I think this warning is superfluous; the default for a browser is to block XHR posts to other domains, so anyone adding a header for allowed origins do so at their own risk.
There was a problem hiding this comment.
I'm not sure if the warning is superfluos: cors is not necessary to do csrf, adding a form that triggers itself is enough (assuming there is a body parser that allows it), in this case the attack is quite difficult because you can trigger only one call, but some attackers tend to be smart and I think it is better to close as many doors as posible, even if they are not easy to exploit.
lib/errors/invalid_state_error.js
Outdated
| } | ||
|
|
||
| InvalidStateError.prototype = object.create(GuardianError.prototype); | ||
| InvalidStateError.prototype.contructor = InvalidStateError; |
lib/errors/unexpected_input_error.js
Outdated
| } | ||
|
|
||
| UnexpectedInputError.prototype = object.create(GuardianError.prototype); | ||
| UnexpectedInputError.prototype.contructor = UnexpectedInputError; |
lib/index.js
Outdated
| @@ -44,7 +53,7 @@ function auth0GuardianJS(options) { | |||
| self.httpClient = object.get(options, 'dependencies.httpClient', | |||
| httpClient(self.serviceUrl, globalTrackingId)); | |||
|
|
|||
| self.transport = options.transport || 'socket'; | |||
| self.transport = options.transport || options.state_checking_mechanism || 'socket'; | |||
There was a problem hiding this comment.
The jsdoc says stateCheckingMechanism; I don't see anything convering it to snake_case...
| if (transactionTokenObject.isExpired()) { | ||
| asyncHelpers.setImmediate(callback, new errors.CredentialsExpiredError()); | ||
| return; | ||
| } |
| ? self.authVerificationStep.serialize() : null; | ||
| data.enrollmentConfirmationStep = self.enrollmentConfirmationStep | ||
| ? self.enrollmentConfirmationStep.serialize() : null; | ||
|
|
There was a problem hiding this comment.
move 236, to:
data.enrollmentAttempt: this.enrollmentAttempt ? this.enrollmentAttempt.serialize() : undefined
Also