From a5f2529f8256bb55423592747a0e717bec2ee1e2 Mon Sep 17 00:00:00 2001
From: Josh Cunningham <josh@joshcanhelp.com>
Date: Wed, 18 Sep 2019 14:17:04 -0700
Subject: [PATCH] Remove fragment response type and repost view

---
 lib/ResponseMode.js  |  6 -----
 middleware/auth.js   | 24 +-------------------
 package-lock.json    | 14 ++++++------
 test/auth.tests.js   | 11 ----------
 test/respot.tests.js | 52 --------------------------------------------
 views/repost.html    | 42 -----------------------------------
 6 files changed, 8 insertions(+), 141 deletions(-)
 delete mode 100644 test/respot.tests.js
 delete mode 100644 views/repost.html

diff --git a/lib/ResponseMode.js b/lib/ResponseMode.js
index 34a1fe88..c6194227 100644
--- a/lib/ResponseMode.js
+++ b/lib/ResponseMode.js
@@ -21,12 +21,6 @@ module.exports = {
   */
   Query: 'query',
 
-  /**
-  * Authorization Response parameters are encoded in
-  * the fragment added to the redirect_uri when redirecting back to the Client.
-  */
-  Fragment: 'fragment',
-
   /**
   * Authorization Response parameters are encoded as HTML form values
   * that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method
diff --git a/middleware/auth.js b/middleware/auth.js
index 3cb6870e..e6d0be14 100644
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -2,14 +2,10 @@ const express = require('express');
 const cb = require('cb');
 const createError = require('http-errors');
 const { get: getConfig } = require('../lib/config');
-const memoize = require('p-memoize');
-const fs = require('fs');
 const { get: getClient } = require('../lib/client');
 const requiresAuth = require('./requiresAuth');
 const { RequestContext, ResponseContext } = require('../lib/context');
 
-const getRepostView = memoize(() => fs.readFileSync(__dirname + '/../views/repost.html'));
-
 /**
 * Returns a router with two routes /login and /callback
 *
@@ -71,7 +67,6 @@ module.exports = function (params) {
   }
 
   let callbackMethod;
-  let repost;
 
   switch (authorizeParams.response_mode) {
     case 'form_post':
@@ -80,18 +75,8 @@ module.exports = function (params) {
     case 'query':
       callbackMethod = 'get';
       break;
-    case 'fragment':
-      callbackMethod = 'post';
-      repost = true;
-      break;
     default:
-      if (/token/.test(authorizeParams.response_type)) {
-        callbackMethod = 'post';
-        repost = true;
-      }
-      else {
-        callbackMethod = 'get';
-      }
+      callbackMethod = 'get';
   }
 
   router[callbackMethod](config.redirectUriPath, async (req, res, next) => {
@@ -128,13 +113,6 @@ module.exports = function (params) {
     }
   });
 
-  if (repost) {
-    router.get('/callback', async (req, res) => {
-      res.set('Content-Type', 'text/html');
-      res.send(getRepostView());
-    });
-  }
-
   if (config.required) {
     const requiresAuthMiddleware = requiresAuth();
     if (typeof config.required === 'function') {
diff --git a/package-lock.json b/package-lock.json
index 3c447307..c122c249 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -220,7 +220,7 @@
     },
     "array-equal": {
       "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/array-equal/-/array-equal-1.0.0.tgz",
+      "resolved": "http://registry.npmjs.org/array-equal/-/array-equal-1.0.0.tgz",
       "integrity": "sha1-jCpe8kcv2ep0KwTHenUJO6J1fJM=",
       "dev": true
     },
@@ -1892,7 +1892,7 @@
     },
     "media-typer": {
       "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "resolved": "http://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
       "integrity": "sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=",
       "dev": true
     },
@@ -1965,13 +1965,13 @@
     },
     "minimist": {
       "version": "0.0.8",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
+      "resolved": "http://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
       "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=",
       "dev": true
     },
     "mkdirp": {
       "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
+      "resolved": "http://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
       "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
       "dev": true,
       "requires": {
@@ -2315,7 +2315,7 @@
     },
     "os-tmpdir": {
       "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
+      "resolved": "http://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
       "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=",
       "dev": true
     },
@@ -2435,7 +2435,7 @@
     },
     "path-is-absolute": {
       "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "resolved": "http://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
       "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=",
       "dev": true
     },
@@ -3045,7 +3045,7 @@
     },
     "through": {
       "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
+      "resolved": "http://registry.npmjs.org/through/-/through-2.3.8.tgz",
       "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU=",
       "dev": true
     },
diff --git a/test/auth.tests.js b/test/auth.tests.js
index 403ccec4..5d6b9115 100644
--- a/test/auth.tests.js
+++ b/test/auth.tests.js
@@ -1,6 +1,5 @@
 const assert = require('chai').assert;
 const url = require('url');
-const fs = require('fs');
 const request = require('request-promise-native').defaults({
   simple: false,
   resolveWithFullResponse: true
@@ -184,19 +183,9 @@ describe('auth', function() {
       });
 
       it('should contain the two callbacks route', function() {
-        assert.ok(router.stack.some(filterRoute('POST', '/callback')));
         assert.ok(router.stack.some(filterRoute('GET', '/callback')));
       });
 
-      it('should return an html on GET /callback', async function() {
-        const cookieJar = request.jar();
-        const res = await request.get('/callback', { cookieJar, baseUrl, followRedirect: false });
-        assert.equal(res.statusCode, 200);
-        assert.equal(res.headers['content-type'], 'text/html; charset=utf-8');
-        const expectedBody = fs.readFileSync(`${__dirname}/../views/repost.html`, 'utf-8');
-        assert.equal(res.body, expectedBody);
-      });
-
     });
   });
 });
diff --git a/test/respot.tests.js b/test/respot.tests.js
deleted file mode 100644
index a0d1b643..00000000
--- a/test/respot.tests.js
+++ /dev/null
@@ -1,52 +0,0 @@
-const fs = require('fs');
-const { JSDOM } = require('jsdom');
-const { assert } = require('chai');
-const HTMLFormElement = require('jsdom/lib/jsdom/living/nodes/HTMLFormElement-impl').implementation;
-const repostHTML = fs.readFileSync(`${__dirname}/../views/repost.html`, 'utf8');
-const querystring = require('querystring');
-
-describe('FORM for repost HTML', function() {
-  let dom;
-  let form;
-  let originalSubmit;
-  const fields = { foo:'123', bar:'4556' };
-
-  //this is a hack because form.submit is not supported yet:
-  // https://github.com/jsdom/jsdom/issues/123
-  before(function(){
-    originalSubmit = HTMLFormElement.prototype.submit;
-    HTMLFormElement.prototype.submit = function() {
-      this.setAttribute('submitted', true);
-    };
-  });
-
-  after(function(){
-    HTMLFormElement.prototype.submit = originalSubmit;
-  });
-  ///end of hack
-
-  before(function() {
-    dom = new JSDOM(repostHTML, {
-      url: `https://localhost/callback#${querystring.encode(fields)}`,
-      runScripts: 'dangerously',
-    });
-    form = dom.window.document.querySelector('form');
-  });
-
-  it('should have method post', function() {
-    assert.equal(form.getAttribute('method'), 'POST');
-  });
-
-  it('should contains the fields', function() {
-    const inputs = form.getElementsByTagName('input');
-    Object.keys(fields).forEach((name, index) => {
-      assert.equal(inputs[index].getAttribute('type'), 'hidden');
-      assert.equal(inputs[index].getAttribute('name'), name);
-      assert.equal(inputs[index].getAttribute('value'), fields[name]);
-    });
-  });
-
-  it('should submit the form', function() {
-    assert.equal(form.getAttribute('submitted'), true);
-  });
-});
diff --git a/views/repost.html b/views/repost.html
deleted file mode 100644
index 94843cfd..00000000
--- a/views/repost.html
+++ /dev/null
@@ -1,42 +0,0 @@
-<html>
-<head>
-  <title>Fragment Repost Form</title>
-</head>
-<body>
-  <script type="text/javascript">
-    function parseQuery(queryString) {
-      var query = {};
-      var pairs = (queryString[0] === '?' ? queryString.substr(1) : queryString).split('&');
-      for (var i = 0; i < pairs.length; i++) {
-          var pair = pairs[i].split('=');
-          query[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1] || '');
-      }
-      return query;
-    }
-
-    var fields = parseQuery(window.location.hash.substring(1));
-
-    var form = document.createElement('form');
-    form.method = 'POST';
-    Object.keys(fields).forEach((key) => {
-      if (key) { // empty fragment will yield {"":""};
-        var input = document.createElement('input');
-        input.type = 'hidden';
-        input.name = key;
-        input.value = fields[key];
-        form.appendChild(input);
-      }
-    });
-    document.body.appendChild(form);
-
-    try {
-      var url = window.location.href.slice(0, -Math.max(window.location.hash.length, 1));
-      window.history.replaceState({}, window.document.title, url);
-    } catch(err) {
-      window.location.hash = "";
-    }
-
-    form.submit();
-  </script>
-</body>
-</html>