Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add custom state handling #60

Merged
merged 8 commits into from
Feb 13, 2020
Merged

Add custom state handling #60

merged 8 commits into from
Feb 13, 2020

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Jan 28, 2020
edited
Loading

Description

  • Adds the ability to define a custom state value using the configuration key getLoginState set to a function. See EXAMPLES.md in this PR for a how-to.
  • Removes the ability to define nonce and state in the options object passed to req.openid.login()
  • Adds req.openid.encodeState() and req.openid.decodeState()

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

joshcanhelp
joshcanhelp commented Jan 28, 2020
View reviewed changes
EXAMPLES.md Outdated
customProperty: req.someProperty,
};
// This value will be sent in a URL parameter so it should be transfer-safe.
return req.openid.encodeState(state);
Copy link
Contributor Author

@joshcanhelp joshcanhelp Jan 28, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allowing this for flexibility but could do encoding/decoding in the library automatically ... or allow both, if the value is not a string then encode?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any use cases where the state should not be encoded? Even if it is a string, it presumably has the potential to contain URL-unsafe characters.

If that holds true I would move the encode operation into the library so that it just always does it and not let the developer hang themselves by doing something that might break the redirect.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Steve. I think you're right, there's just really no reason to require a developer to encode this state if we're managing everything else for them. Will adjust.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ee5ab85

joshcanhelp
joshcanhelp commented Jan 28, 2020
View reviewed changes
lib/transientHandler.js
@@ -84,7 +88,3 @@ function createNonce() {
function deleteCookie(name, res) {
res.cookie(name, '', {maxAge: 0});
}

exports.store = store;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just moving these to the top for clarity

@joshcanhelp joshcanhelp marked this pull request as ready for review January 28, 2020 18:27
@joshcanhelp joshcanhelp added this to the v0.7.0 milestone Jan 28, 2020
@joshcanhelp joshcanhelp requested a review from a team February 3, 2020 16:49
stevehobbsdev
stevehobbsdev reviewed Feb 5, 2020
View reviewed changes
EXAMPLES.md Outdated
customProperty: req.someProperty,
};
// This value will be sent in a URL parameter so it should be transfer-safe.
return req.openid.encodeState(state);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any use cases where the state should not be encoded? Even if it is a string, it presumably has the potential to contain URL-unsafe characters.

If that holds true I would move the encode operation into the library so that it just always does it and not let the developer hang themselves by doing something that might break the redirect.

EXAMPLES.md Outdated Show resolved Hide resolved
@joshcanhelp
Copy link
Contributor Author

@stevehobbsdev - Thanks again for your feedback here. I like this implementation much better! Ready for re-review.

stevehobbsdev
stevehobbsdev approved these changes Feb 13, 2020
View reviewed changes
Copy link

@stevehobbsdev stevehobbsdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@joshcanhelp joshcanhelp merged commit 75d48c6 into auth0:master Feb 13, 2020
@joshcanhelp joshcanhelp deleted the add-custom-state-handling branch February 13, 2020 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

Assignees
No one assigned
Labels
CH: Added review:medium Medium review
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.
2 participants
@joshcanhelp @stevehobbsdev