fix(plugin-authorization): use orgId if emailhash unavailable (webex#…

…3788)
pagour98 · Sep 27, 2024 · 56ee8a7 · 56ee8a7
1 parent 768640a
commit 56ee8a7
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 4 deletions.
diff --git a/packages/@webex/plugin-authorization-browser-first-party/src/authorization.js b/packages/@webex/plugin-authorization-browser-first-party/src/authorization.js
@@ -103,14 +103,24 @@ const Authorization = WebexPlugin.extend({
     this._verifySecurityToken(location.query);
     this._cleanUrl(location);
 
+    let preauthCatalogParams;
+
+    const orgId = this._extractOrgIdFromCode(code);
+
+    if (emailhash) {
+      preauthCatalogParams = {emailhash};
+    } else if (orgId) {
+      preauthCatalogParams = {orgId};
+    }
+
     // Wait until nextTick in case `credentials` hasn't initialized yet
     process.nextTick(() => {
       this.webex.internal.services
-        .collectPreauthCatalog(emailhash ? {emailhash}: undefined)
+        .collectPreauthCatalog(preauthCatalogParams)
         .catch(() => Promise.resolve())
         .then(() => this.requestAuthorizationCodeGrant({code, codeVerifier}))
         .catch((error) => {
-          this.logger.warn('authorization: failed initial authorization code grant request', error)
+          this.logger.warn('authorization: failed initial authorization code grant request', error);
         })
         .then(() => {
           this.ready = true;
@@ -230,6 +240,20 @@ const Authorization = WebexPlugin.extend({
       });
   },
 
+  /**
+   * Extracts the orgId from the returned code from idbroker
+   * Description of how to parse the code can be found here:
+   * https://wiki.cisco.com/display/IDENTITY/Federated+Token+Validation
+   * @instance
+   * @memberof AuthorizationBrowserFirstParty
+   * @param {String} code
+   * @private
+   * @returns {String}
+   */
+  _extractOrgIdFromCode(code) {
+    return code?.split('_')[2] || undefined;
+  },
+
   /**
    * Checks if the result of the login redirect contains an error string
    * @instance

diff --git a/packages/@webex/plugin-authorization-browser-first-party/test/unit/spec/authorization.js b/packages/@webex/plugin-authorization-browser-first-party/test/unit/spec/authorization.js
@@ -183,7 +183,7 @@ describe('plugin-authorization-browser-first-party', () => {
         });
 
         it('collects the preauth catalog when emailhash is present in the state', async () => {
-          const code = 'auth code';
+          const code = 'authcode_clusterid_theOrgId';
           const webex = makeWebex(
             `http://example.com/?code=${code}&state=${base64.encode(
               JSON.stringify({emailhash: 'someemailhash'})
@@ -205,7 +205,7 @@ describe('plugin-authorization-browser-first-party', () => {
         });
 
         it('collects the preauth catalog no emailhash is present in the state', async () => {
-          const code = 'auth code';
+          const code = 'authcode_clusterid_theOrgId';
           const webex = makeWebex(
             `http://example.com/?code=${code}`
           );
@@ -220,6 +220,26 @@ describe('plugin-authorization-browser-first-party', () => {
 
           await webex.authorization.when('change:ready');
 
+          assert.calledOnce(requestAuthorizationCodeGrantStub);
+          assert.calledWith(requestAuthorizationCodeGrantStub, {code, codeVerifier: undefined});
+          assert.calledOnce(collectPreauthCatalogStub);
+          assert.calledWith(collectPreauthCatalogStub, {orgId: 'theOrgId'});
+        });
+
+        it('collects the preauth catalog with no emailhash and no orgId', async () => {
+          const code = 'authcode_clusterid';
+          const webex = makeWebex(`http://example.com/?code=${code}`);
+
+          const requestAuthorizationCodeGrantStub = sinon.stub(
+            Authorization.prototype,
+            'requestAuthorizationCodeGrant'
+          );
+          const collectPreauthCatalogStub = sinon
+            .stub(Services.prototype, 'collectPreauthCatalog')
+            .resolves();
+
+          await webex.authorization.when('change:ready');
+
           assert.calledOnce(requestAuthorizationCodeGrantStub);
           assert.calledWith(requestAuthorizationCodeGrantStub, {code, codeVerifier: undefined});
           assert.calledOnce(collectPreauthCatalogStub);
@@ -503,5 +523,46 @@ describe('plugin-authorization-browser-first-party', () => {
         assert.notInclude(href, 'csrf_token');
       });
     });
+
+    describe('#_extractOrgIdFromCode', () => {
+      it('extracts the orgId from the code', () => {
+        const webex = makeWebex(undefined, undefined, {
+          credentials: {
+            clientType: 'confidential',
+          },
+        });
+
+        const code = 'authcode_clusterid_theOrgId';
+        const orgId = webex.authorization._extractOrgIdFromCode(code);
+
+        assert.equal(orgId, 'theOrgId');
+      });
+
+      it('handles an invalid code', () => {
+        const webex = makeWebex(undefined, undefined, {
+          credentials: {
+            clientType: 'confidential',
+          },
+        });
+
+        const code = 'authcode_clusterid_';
+        const orgId = webex.authorization._extractOrgIdFromCode(code);
+
+        assert.isUndefined(orgId);
+      });
+
+      it('handles an completely invalid code', () => {
+        const webex = makeWebex(undefined, undefined, {
+          credentials: {
+            clientType: 'confidential',
+          },
+        });
+
+        const code = 'authcode';
+        const orgId = webex.authorization._extractOrgIdFromCode(code);
+
+        assert.isUndefined(orgId);
+      })
+    });
   });
 });