Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow "none" in any case #131

Merged
merged 4 commits into from
Sep 1, 2020
Merged

Disallow "none" in any case #131

merged 4 commits into from
Sep 1, 2020

Conversation

adamjmcgrath
Copy link
Contributor

@adamjmcgrath adamjmcgrath commented Aug 27, 2020
edited
Loading

Description

Don't allow NONE, None, noNE etc for idTokenSigningAlg

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@adamjmcgrath adamjmcgrath added the review:tiny Tiny review label Aug 27, 2020
@adamjmcgrath adamjmcgrath requested a review from a team August 27, 2020 09:37
@adamjmcgrath adamjmcgrath reopened this Aug 27, 2020
@adamjmcgrath
Copy link
Contributor Author

Just investigating the broken build... CircleCI doesn't seem to like puppeteer today

@adamjmcgrath adamjmcgrath force-pushed the case-insensitive-none branch from d2bfa76 to c0fd31e Compare August 27, 2020 10:30
@adamjmcgrath adamjmcgrath reopened this Aug 28, 2020
adamjmcgrath
adamjmcgrath commented Aug 28, 2020
View reviewed changes
.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
jobs:
build:
docker:
- image: circleci/node:10-browsers
- image: circleci/node:12-browsers
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was having issue with the node 10 circle ci image and node 12 is the current active lts version

adamjmcgrath
adamjmcgrath commented Aug 28, 2020
View reviewed changes
lib/config.js
@@ -126,7 +126,11 @@ const paramsSchema = Joi.object({
idpLogout: Joi.boolean()
.optional()
.default((parent) => parent.auth0Logout || false),
idTokenSigningAlg: Joi.string().not('none').optional().default('RS256'),
idTokenSigningAlg: Joi.string()
.insensitive()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just adding .insensitive() to make the validation case insensitive

adamjmcgrath
adamjmcgrath commented Aug 28, 2020
View reviewed changes
test/config.tests.js
let expected = '"idTokenSigningAlg" contains an invalid value';
assert.throws(() => config('none'), TypeError, expected);
assert.throws(() => config('NONE'), TypeError, expected);
assert.throws(() => config('noNE'), TypeError, expected);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding 2 new cases for NONE and noNE

@adamjmcgrath adamjmcgrath mentioned this pull request Aug 28, 2020
Merged
@adamjmcgrath adamjmcgrath merged commit 2ae8d3e into beta-2 Sep 1, 2020
@adamjmcgrath adamjmcgrath deleted the case-insensitive-none branch September 1, 2020 10:28
adamjmcgrath added a commit that referenced this pull request Sep 17, 2020
@adamjmcgrath @panva @davidpatrick
Release v2 (#137)
0def341 
* Update beta version

* Initial commit of Beta 2 branch

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

* Add PKCE tests and fix multiple servers in tests (#110)

* [SDK-1714] [SDK-1723] Session cookie checks (#111)

* Refactor the tests a little to use a server
* simplify test
* tests for unordered cookie chunks
* Test format changes for transient handler
* Update lib/transientHandler.js

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

* [SDK-1715] Configuration and API updates (#109)

* Simplify the config tests, test more with less code
* Validate config fixes and tests
* Add comment, update tests
* `Issuer.discover` only takes a fully qualified url
* Simpler scope assertion and keep all config tests in same file
* Let auth server set default for response_type: code
* clientSecret is required for HS* algs regardless of response_type

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

* [SDK-1712] Test token set (#108)

* Add tests for TokenSet
* Refactor the tests a little
* Split up code flow tests
* Add tests for access token expiry

* Add Prettier for style formatting (#112)

* Add prettier

* Run `prettier --write .`

* [SDK-1716] Add tests for claim* MW (#113)

* Add tests for claim* MW

* Fix tests

* Add some tests for session duration behaviour

* Revert "Add some tests for session duration behaviour"

This reverts commit e3ce510.

* Add some tests for session duration behaviour (#114)

* Add test for passing custom param to logout (#115)

* [SDK-1721] Auto generated docs (#117)

* Auto generated docs with typedoc

* fix lgtm

* Fix auth params

* Fix incorrect import of `requiresAuth` (#118)

* Add TROUBLESHOOTING and update debug logging (#120)

* Add TROUBLESHOOTING and update debug logging

* fix tests

* Update lib/context.js

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

* attemptSilentLogin feature (#121)

* attemptSilentLogin feature

* Resume silent login after successful login so that users try silent login again after their session's expire

* `postLogoutRedirectUri` isn't always a URI and login needs a check for `response_type` (#123)

* [SDK-1877] Add refresh method to access token (#124)

* Add refresh method to access token

* Add method to fetch userinfo

* Add refresh example to docs

* Not all refresh token grants get a new refresh token back (eg non rotating) and remove unneeded opts

* Scope all cookies (skipSilentLogin, transient and appSession) to the app session cookie path and domain config (if specified) (#125)

* [SDK-1722] Architecture (#128)

* Default Login flow docs

* Add logout

* add link from readme

* [SDK-1876] [SDK-1726] Add samples and smoke tests (#127)

* Add samples and smoke tests

* Fix CI

* Make the test clearer that discovery alg is ignored (#130)

* Make the test clearer that discovery alg is ignored

* Add test to show "none" disallowed for idTokenSigningAlg

* Disallow "none" in any case (#131)

* Disallow "none" in any case

* Fix puppeteer in CircleCI https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#running-puppeteer-on-circleci

* Revert "Fix puppeteer in CircleCI https://github.com/puppeteer/puppeteer/blob/main/docs/troubleshooting.md#running-puppeteer-on-circleci"

This reverts commit c0fd31e

* use active lts

* [SDK-1914] Add a migration guide for v1 to v2 (#129)

* Add a migration guide for v1 to v2

* Apply suggestions from code review

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

* Updates per PR comments

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

* Release 2.0.0-beta.0 (#132)

* Release 2.0.0-beta.0

* Ignore docs from lint

* Fixes the numbering on examples (#136)

* chore: update jose and openid-client (#134)

Co-authored-by: Filip Skokan <panva.ip@gmail.com>
Co-authored-by: David Patrick <david.patrick@auth0.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbalmaceda lbalmaceda lbalmaceda approved these changes

Assignees
No one assigned
Labels
review:tiny Tiny review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adamjmcgrath @lbalmaceda