Allow custom routes with or without leading slash

auth0 · Jan 7, 2020 · 5c8dd25 · 5c8dd25
1 parent d7ebc7a
commit 5c8dd25
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 9 deletions.
diff --git a/lib/config.js b/lib/config.js
@@ -53,9 +53,9 @@ const paramsSchema = Joi.object().keys({
   idTokenAlg: Joi.string().not('none').optional().default('RS256'),
   issuerBaseURL: Joi.alternatives([ Joi.string().uri(), Joi.string().hostname() ]).required(),
   legacySameSiteCookie: Joi.boolean().optional().default(true),
-  loginPath: Joi.string().optional().default('/login'),
-  logoutPath: Joi.string().optional().default('/logout'),
-  redirectUriPath: Joi.string().optional().default('/callback'),
+  loginPath: Joi.string().uri({relativeOnly: true}).optional().default('/login'),
+  logoutPath: Joi.string().uri({relativeOnly: true}).optional().default('/logout'),
+  redirectUriPath: Joi.string().uri({relativeOnly: true}).optional().default('/callback'),
   required: Joi.alternatives([ Joi.func(), Joi.boolean()]).optional().default(true),
   routes: Joi.boolean().optional().default(true),
 });

diff --git a/middleware/auth.js b/middleware/auth.js
@@ -10,6 +10,10 @@ const transient =  require('../lib/transientHandler');
 const { RequestContext, ResponseContext } = require('../lib/context');
 const appSession = require('../lib/appSession');
 
+const enforceLeadingSlash = (path) => {
+  return '/' === path.split('')[0] ? path : '/' + path;
+};
+
 /**
 * Returns a router with two routes /login and /callback
 *
@@ -50,10 +54,10 @@ module.exports = function (params) {
   });
 
   if (config.routes) {
-    router.get(config.loginPath, express.urlencoded({ extended: false }), (req, res) => {
+    router.get(enforceLeadingSlash(config.loginPath), express.urlencoded({ extended: false }), (req, res) => {
       res.openid.login({ returnTo: config.baseURL });
     });
-    router.get(config.logoutPath, (req, res) => res.openid.logout());
+    router.get(enforceLeadingSlash(config.logoutPath), (req, res) => res.openid.logout());
   }
 
   let callbackMethod;
@@ -69,7 +73,7 @@ module.exports = function (params) {
       callbackMethod = 'get';
   }
 
-  router[callbackMethod](config.redirectUriPath, express.urlencoded({ extended: false }), cookieParser(), async (req, res, next) => {
+  router[callbackMethod](enforceLeadingSlash(config.redirectUriPath), express.urlencoded({ extended: false }), cookieParser(), async (req, res, next) => {
     next = cb(next).once();
     try {
       const redirect_uri = res.openid.getRedirectUri();

diff --git a/test/auth.tests.js b/test/auth.tests.js
@@ -223,9 +223,9 @@ describe('auth', function() {
         clientID: '__test_client_id__',
         baseURL: 'https://example.org',
         issuerBaseURL: 'https://test.auth0.com',
-        redirectUriPath: '/custom-callback',
-        loginPath: '/custom-login',
-        logoutPath: '/custom-logout',
+        redirectUriPath: 'custom-callback',
+        loginPath: 'custom-login',
+        logoutPath: 'custom-logout',
       });
       baseUrl = await server.create(router);
     });