Skip to content

Commit

Permalink
Move clientSecret checks into Joi schema
Browse files Browse the repository at this point in the history
  • Loading branch information
@joshcanhelp
joshcanhelp committed Jan 24, 2020
1 parent c88a5d4 commit a709b2d
Showing 1 changed file with 32 additions and 22 deletions.
54 changes: 32 additions & 22 deletions lib/config.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ const paramsSchema = Joi.object({
Joi.string(),
Joi.array().items(Joi.string()),
Joi.boolean().valid(false)
]).required().default(() => process.env.APP_SESSION_SECRET),
]).required(),
auth0Logout: Joi.boolean().optional().default(false),
authorizationParams: Joi.object({
response_type: Joi.string().optional().default('id_token'),
Expand All @@ -32,9 +32,26 @@ const paramsSchema = Joi.object({
return responseIncludesTokens ? 'form_post' : undefined;
}),
}).optional().unknown(true).default(),
baseURL: Joi.string().uri().required().default(() => process.env.BASE_URL),
clientID: Joi.string().required().default(() => process.env.CLIENT_ID),
clientSecret: Joi.string().optional().default(() => process.env.CLIENT_SECRET),
baseURL: Joi.string().uri().required(),
clientID: Joi.string().required(),
clientSecret: Joi.string().when(
Joi.ref('authorizationParams.response_type', {adjust: (value) => value && value.split(' ').includes('code')}),
{
is: true,
then: Joi.string().required().messages({
'any.required': '"clientSecret" is required for response_type code'
}),
otherwise: Joi.when(
Joi.ref('idTokenAlg', {adjust: (value) => value && 'HS' === value.substring(0,2)}),
{
is: true,
then: Joi.string().required().messages({
'any.required': '"clientSecret" is required for ID tokens with HS algorithms'
})
}
)
}
),
clockTolerance: Joi.number().optional().default(60),
errorOnRequiredAuth: Joi.boolean().optional().default(false),
getUser: Joi.function().optional().default(() => getUser),
Expand All @@ -46,7 +63,7 @@ const paramsSchema = Joi.object({
issuerBaseURL: Joi.alternatives([
Joi.string().uri(),
Joi.string().hostname()
]).required().default(() => process.env.ISSUER_BASE_URL),
]).required(),
legacySameSiteCookie: Joi.boolean().optional().default(true),
loginPath: Joi.string().uri({relativeOnly: true}).optional().default('/login'),
logoutPath: Joi.string().uri({relativeOnly: true}).optional().default('/logout'),
Expand All @@ -57,26 +74,19 @@ const paramsSchema = Joi.object({
});

module.exports.get = function(params) {
let config = typeof params == 'object' ? clone(params) : {};
let config = (typeof params == 'object' ? clone(params) : {});
config = Object.assign({
issuerBaseURL: process.env.ISSUER_BASE_URL,
baseURL: process.env.BASE_URL,
clientID: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
appSessionSecret: process.env.APP_SESSION_SECRET,
}, config);

const paramsValidation = paramsSchema.validate(config);

if(paramsValidation.error) {
if (paramsValidation.error) {
throw new Error(paramsValidation.error.details[0].message);
}

config = paramsValidation.value;

// Code grant requires a client secret to exchange the code for tokens
const responseTypeHasCode = config.authorizationParams.response_type.split(' ').includes('code');
if (responseTypeHasCode && !config.clientSecret) {
throw new Error('"clientSecret" is required for response_type code');
}

// HS256 ID tokens require a client secret to validate the signature.
if ('HS' === config.idTokenAlg.substring(0,2) && !config.clientSecret) {
throw new Error('"clientSecret" is required for ID tokens with HS algorithms');
}

return config;
return paramsValidation.value;
};

0 comments on commit a709b2d

Please sign in to comment.