consent dialog fix

server/api/oauth2/controller/authorization.js

@@ -1,7 +1,6 @@
 import error from '../error'
 import response from '../response'
 import model from '../model'
-import authorization from './code'
 import wrap from '../wrap'
 
 module.exports = wrap(async (req, res, next) => {
@@ -116,22 +115,40 @@ module.exports = wrap(async (req, res, next) => {
     } else {
       consented = await model.user.consented(user.id, client.id, scope)
     }
+
+    // Ask for consent
+    if (!consented) return req.oauth2.decision(req, res, client, scope, user, redirectUri)
   }
 
-  // Ask for consent
-  if (!consented) return req.oauth2.decision(req, res, client, scope, user, redirectUri)
+  // Consent pushed, ensure valid session
+  if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) {
+    throw new error.InvalidRequest('Invalid session')
+  }
+
+  // Save consent
+  if (!consented) {
+    if (!req.body || (typeof req.body.decision) === 'undefined') {
+      throw new error.InvalidRequest('No decision parameter passed')
+    } else if (req.body.decision === '0') {
+      throw new error.AccessDenied('User denied access to the resource')
+    }
+    console.debug('Decision check passed')
+
+    await model.user.consent(user.id, client.id, scope)
+  }
 
   for (const i in grantTypes) {
     let data = null
     switch (grantTypes[i]) {
       case 'authorization_code':
-        data = await authorization.Code(req, res, client, scope, user, redirectUri, !consented)
+        data = await model.code.create(model.user.getId(user), model.client.getId(client), scope, model.code.ttl)
 
         resObj = Object.assign({ code: data }, resObj)
 
         break
       case 'implicit':
-        data = await authorization.Implicit(req, res, client, scope, user, redirectUri, !consented)
+        data = await model.accessToken.create(model.user.getId(user),
+          model.client.getId(client), scope, model.accessToken.ttl)
 
         resObj = Object.assign({
           token_type: 'bearer',

server/api/oauth2/controller/code/code.js

@@ -1,31 +0,0 @@
-import error from '../../error'
-import model from '../../model'
-
-module.exports = async (req, res, client, scope, user, redirectUri, consentRequested) => {
-  let codeValue = null
-
-  if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) {
-    throw new error.InvalidRequest('Invalid session')
-  }
-
-  if (consentRequested) {
-    if (!req.body || (typeof req.body.decision) === 'undefined') {
-      throw new error.InvalidRequest('No decision parameter passed')
-    } else if (req.body.decision === '0') {
-      throw new error.AccessDenied('User denied access to the resource')
-    }
-    console.debug('Decision check passed')
-
-    await model.user.consent(user.id, client.id, scope)
-  }
-
-  try {
-    codeValue = await req.oauth2.model.code.create(req.oauth2.model.user.getId(user),
-      req.oauth2.model.client.getId(client), scope, req.oauth2.model.code.ttl)
-  } catch (err) {
-    console.error(err)
-    throw new error.ServerError('Failed to call code.create function')
-  }
-
-  return codeValue
-}

server/api/oauth2/controller/code/implicit.js

@@ -1,31 +0,0 @@
-import error from '../../error'
-import model from '../../model'
-
-module.exports = async (req, res, client, scope, user, redirectUri, consentRequested) => {
-  let accessTokenValue = null
-
-  if (req.method === 'POST' && req.session.csrf && !(req.body.csrf && req.body.csrf === req.session.csrf)) {
-    throw new error.InvalidRequest('Invalid session')
-  }
-
-  if (consentRequested) {
-    if (!req.body || (typeof req.body.decision) === 'undefined') {
-      throw new error.InvalidRequest('No decision parameter passed')
-    } else if (req.body.decision === '0') {
-      throw new error.AccessDenied('User denied access to the resource')
-    }
-    console.debug('Decision check passed')
-
-    await model.user.consent(user.id, client.id, scope)
-  }
-
-  try {
-    accessTokenValue = await req.oauth2.model.accessToken.create(req.oauth2.model.user.getId(user),
-      req.oauth2.model.client.getId(client), scope, req.oauth2.model.accessToken.ttl)
-  } catch (err) {
-    console.error(err)
-    throw new error.ServerError('Failed to call accessToken.create function')
-  }
-
-  return accessTokenValue
-}

server/api/oauth2/controller/code/index.js

@@ -1,4 +0,0 @@
-module.exports = {
-  Code: require('./code'),
-  Implicit: require('./implicit')
-}

server/api/oauth2/controller/tokens/authorizationCode.js

@@ -33,7 +33,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => {
   console.debug('Code fetched ', code)
 
   try {
-    await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code))
+    await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.code.getUserId(code),
+      oauth2.model.code.getClientId(code))
   } catch (err) {
     console.error(err)
     throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function')
@@ -45,7 +46,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => {
     console.debug('Client does not allow grant type refresh_token, skip creation')
   } else {
     try {
-      respObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code))
+      respObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.code.getUserId(code),
+        oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code))
     } catch (err) {
       console.error(err)
       throw new error.ServerError('Failed to call refreshToken.create function')
@@ -53,7 +55,8 @@ module.exports = async (oauth2, client, providedCode, redirectUri) => {
   }
 
   try {
-    respObj.access_token = await oauth2.model.accessToken.create(oauth2.model.code.getUserId(code), oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code), oauth2.model.accessToken.ttl)
+    respObj.access_token = await oauth2.model.accessToken.create(oauth2.model.code.getUserId(code),
+      oauth2.model.code.getClientId(code), oauth2.model.code.getScope(code), oauth2.model.accessToken.ttl)
   } catch (err) {
     console.error(err)
     throw new error.ServerError('Failed to call accessToken.create function')

server/api/oauth2/controller/tokens/clientCredentials.js

@@ -17,7 +17,8 @@ module.exports = async (oauth2, client, wantScope) => {
   console.debug('Scope check passed ', scope)
 
   try {
-    resObj.access_token = await oauth2.model.accessToken.create(null, oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl)
+    resObj.access_token = await oauth2.model.accessToken.create(null, oauth2.model.client.getId(client),
+      scope, oauth2.model.accessToken.ttl)
   } catch (err) {
     throw new error.ServerError('Failed to call accessToken.create function')
   }

server/api/oauth2/controller/tokens/password.js

@@ -38,7 +38,8 @@ module.exports = async (oauth2, client, username, password, scope) => {
   }
 
   try {
-    await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.user.getId(user), oauth2.model.client.getId(client))
+    await oauth2.model.refreshToken.removeByUserIdClientId(oauth2.model.user.getId(user),
+      oauth2.model.client.getId(client))
   } catch (err) {
     throw new error.ServerError('Failed to call refreshToken.removeByUserIdClientId function')
   }
@@ -49,14 +50,16 @@ module.exports = async (oauth2, client, username, password, scope) => {
     console.debug('Client does not allow grant type refresh_token, skip creation')
   } else {
     try {
-      resObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.user.getId(user), oauth2.model.client.getId(client), scope)
+      resObj.refresh_token = await oauth2.model.refreshToken.create(oauth2.model.user.getId(user),
+        oauth2.model.client.getId(client), scope)
     } catch (err) {
       throw new error.ServerError('Failed to call refreshToken.create function')
     }
   }
 
   try {
-    resObj.access_token = await oauth2.model.accessToken.create(oauth2.model.user.getId(user), oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl)
+    resObj.access_token = await oauth2.model.accessToken.create(oauth2.model.user.getId(user),
+      oauth2.model.client.getId(client), scope, oauth2.model.accessToken.ttl)
   } catch (err) {
     throw new error.ServerError('Failed to call accessToken.create function')
   }

server/api/oauth2/controller/tokens/refreshToken.js

@@ -25,8 +25,8 @@ module.exports = async (oauth2, client, pRefreshToken, scope) => {
   }
 
   if (oauth2.model.refreshToken.getClientId(refreshToken) !== oauth2.model.client.getId(client)) {
-    console.warn('Client "' + oauth2.model.client.getId(client) + '" tried to fetch a refresh token which belongs to client"' +
-      oauth2.model.refreshToken.getClientId(refreshToken) + '"')
+    console.warn('Client %s tried to fetch a refresh token which belongs to client %s!', oauth2.model.client.getId(client),
+      oauth2.model.refreshToken.getClientId(refreshToken))
     throw new error.InvalidGrant('Refresh token not found')
   }
 
@@ -41,7 +41,8 @@ module.exports = async (oauth2, client, pRefreshToken, scope) => {
   }
 
   try {
-    accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user), oauth2.model.client.getId(client))
+    accessToken = await oauth2.model.accessToken.fetchByUserIdClientId(oauth2.model.user.getId(user),
+      oauth2.model.client.getId(client))
   } catch (err) {
     throw new error.ServerError('Failed to call accessToken.fetchByUserIdClientId function')
   }