Feature client data in body

.travis.yml

@@ -14,7 +14,7 @@ after_script: npm run test-server-close
 node_js:
   - "10"
   - "12"
-  - "13"
+  - "14"
   - "node"
 
 cache:

package.json

@@ -1,6 +1,6 @@
 {
   "name": "client-oauth2",
-  "version": "4.3.0",
+  "version": "4.3.3",
   "description": "Straight-forward execution of OAuth 2.0 flows and authenticated API requests",
   "main": "src/client-oauth2.js",
   "typings": "index.d.ts",
@@ -49,15 +49,15 @@
     "es6-promise": "^4.2.8",
     "express": "^4.17.1",
     "is-travis": "^2.0.0",
-    "karma": "^5.0.3",
+    "karma": "^5.1.1",
     "karma-browserify": "^7.0.0",
     "karma-chai": "^0.1.0",
     "karma-chrome-launcher": "^3.1.0",
     "karma-cli": "^2.0.0",
-    "karma-coverage": "^2.0.1",
+    "karma-coverage": "^2.0.3",
     "karma-firefox-launcher": "^1.3.0",
     "karma-mocha": "^2.0.1",
-    "mocha": "^7.1.0",
+    "mocha": "^8.1.0",
     "object-assign": "^4.1.1",
     "standard": "^14.3.3",
     "watchify": "^3.11.1"

src/client-oauth2.js

@@ -8,7 +8,7 @@ var btoa
 if (typeof Buffer === 'function') {
   btoa = btoaBuffer
 } else {
-  btoa = window.btoa
+  btoa = window.btoa.bind(window)
 }
 
 /**
@@ -161,13 +161,19 @@ function createUri (options, tokenType) {
   // Check the required parameters are set.
   expects(options, 'clientId', 'authorizationUri')
 
-  return options.authorizationUri + '?' + Querystring.stringify(Object.assign({
+  const qs = {
     client_id: options.clientId,
     redirect_uri: options.redirectUri,
-    scope: sanitizeScope(options.scopes),
     response_type: tokenType,
     state: options.state
-  }, options.query))
+  }
+  if (options.scopes !== undefined) {
+    qs.scope = sanitizeScope(options.scopes)
+  }
+
+  const sep = options.authorizationUri.includes('?') ? '&' : '?'
+  return options.authorizationUri + sep + Querystring.stringify(
+    Object.assign(qs, options.query))
 }
 
 /**
@@ -367,16 +373,22 @@ ClientOAuth2Token.prototype.refresh = function (opts) {
     return Promise.reject(new Error('No refresh token'))
   }
 
+  var body = {
+    refresh_token: this.refreshToken,
+    grant_type: 'refresh_token'
+  }
+  if (options.clientCredentialsInBody) {
+    body.client_id = options.clientId
+    body.client_secret = options.clientSecret
+  }
+
   return this.client._request(requestOptions({
     url: options.accessTokenUri,
     method: 'POST',
     headers: Object.assign({}, DEFAULT_HEADERS, {
       Authorization: auth(options.clientId, options.clientSecret)
     }),
-    body: {
-      refresh_token: this.refreshToken,
-      grant_type: 'refresh_token'
-    }
+    body: body
   }, options))
     .then(function (data) {
       return self.client.createToken(Object.assign({}, self.data, data))
@@ -415,18 +427,22 @@ OwnerFlow.prototype.getToken = function (username, password, opts) {
   var self = this
   var options = Object.assign({}, this.client.options, opts)
 
+  const body = {
+    username: username,
+    password: password,
+    grant_type: 'password'
+  }
+  if (options.scopes !== undefined) {
+    body.scope = sanitizeScope(options.scopes)
+  }
+
   return this.client._request(requestOptions({
     url: options.accessTokenUri,
     method: 'POST',
     headers: Object.assign({}, DEFAULT_HEADERS, {
       Authorization: auth(options.clientId, options.clientSecret)
     }),
-    body: {
-      scope: sanitizeScope(options.scopes),
-      username: username,
-      password: password,
-      grant_type: 'password'
-    }
+    body: body
   }, options))
     .then(function (data) {
       return self.client.createToken(data)
@@ -528,16 +544,21 @@ CredentialsFlow.prototype.getToken = function (opts) {
 
   expects(options, 'clientId', 'clientSecret', 'accessTokenUri')
 
+  const body = {
+    grant_type: 'client_credentials'
+  }
+
+  if (options.scopes !== undefined) {
+    body.scope = sanitizeScope(options.scopes)
+  }
+
   return this.client._request(requestOptions({
     url: options.accessTokenUri,
     method: 'POST',
     headers: Object.assign({}, DEFAULT_HEADERS, {
       Authorization: auth(options.clientId, options.clientSecret)
     }),
-    body: {
-      scope: sanitizeScope(options.scopes),
-      grant_type: 'client_credentials'
-    }
+    body: body
   }, options))
     .then(function (data) {
       return self.client.createToken(data)
@@ -621,10 +642,15 @@ CodeFlow.prototype.getToken = function (uri, opts) {
   // `client_id`: REQUIRED, if the client is not authenticating with the
   // authorization server as described in Section 3.2.1.
   // Reference: https://tools.ietf.org/html/rfc6749#section-3.2.1
-  if (options.clientSecret) {
-    headers.Authorization = auth(options.clientId, options.clientSecret)
-  } else {
+  if (options.clientCredentialsInBody) {
     body.client_id = options.clientId
+    body.client_secret = options.clientSecret
+  } else {
+    if (options.clientSecret) {
+      headers.Authorization = auth(options.clientId, options.clientSecret)
+    } else {
+      body.client_id = options.clientId
+    }
   }
 
   return this.client._request(requestOptions({
@@ -669,15 +695,20 @@ JwtBearerFlow.prototype.getToken = function (token, opts) {
     headers.Authorization = auth(options.clientId, options.clientSecret)
   }
 
+  const body = {
+    grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+    assertion: token
+  }
+
+  if (options.scopes !== undefined) {
+    body.scope = sanitizeScope(options.scopes)
+  }
+
   return this.client._request(requestOptions({
     url: options.accessTokenUri,
     method: 'POST',
     headers: headers,
-    body: {
-      scope: sanitizeScope(options.scopes),
-      grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-      assertion: token
-    }
+    body: body
   }, options))
     .then(function (data) {
       return self.client.createToken(data)

test/code.js

@@ -1,4 +1,4 @@
-/* global describe, it */
+/* global describe, it, context */
 var expect = require('chai').expect
 var config = require('./support/config')
 var ClientOAuth2 = require('../')
@@ -21,9 +21,76 @@ describe('code', function () {
       expect(githubAuth.code.getUri()).to.equal(
         config.authorizationUri + '?client_id=abc&' +
         'redirect_uri=http%3A%2F%2Fexample.com%2Fauth%2Fcallback&' +
-        'scope=notifications&response_type=code&state='
+        'response_type=code&state=&scope=notifications'
       )
     })
+    context('when scopes are undefined', function () {
+      it('should not include scope in the uri', function () {
+        var authWithoutScopes = new ClientOAuth2({
+          clientId: config.clientId,
+          clientSecret: config.clientSecret,
+          accessTokenUri: config.accessTokenUri,
+          authorizationUri: config.authorizationUri,
+          authorizationGrants: ['code'],
+          redirectUri: config.redirectUri
+        })
+        expect(authWithoutScopes.code.getUri()).to.equal(
+          config.authorizationUri + '?client_id=abc&' +
+          'redirect_uri=http%3A%2F%2Fexample.com%2Fauth%2Fcallback&' +
+          'response_type=code&state='
+        )
+      })
+    })
+    it('should include empty scopes array as an empty string', function () {
+      var authWithEmptyScopes = new ClientOAuth2({
+        clientId: config.clientId,
+        clientSecret: config.clientSecret,
+        accessTokenUri: config.accessTokenUri,
+        authorizationUri: config.authorizationUri,
+        authorizationGrants: ['code'],
+        redirectUri: config.redirectUri,
+        scopes: []
+      })
+      expect(authWithEmptyScopes.code.getUri()).to.equal(
+        config.authorizationUri + '?client_id=abc&' +
+        'redirect_uri=http%3A%2F%2Fexample.com%2Fauth%2Fcallback&' +
+        'response_type=code&state=&scope='
+      )
+    })
+    it('should include empty scopes string as an empty string', function () {
+      var authWithEmptyScopes = new ClientOAuth2({
+        clientId: config.clientId,
+        clientSecret: config.clientSecret,
+        accessTokenUri: config.accessTokenUri,
+        authorizationUri: config.authorizationUri,
+        authorizationGrants: ['code'],
+        redirectUri: config.redirectUri,
+        scopes: ''
+      })
+      expect(authWithEmptyScopes.code.getUri()).to.equal(
+        config.authorizationUri + '?client_id=abc&' +
+        'redirect_uri=http%3A%2F%2Fexample.com%2Fauth%2Fcallback&' +
+        'response_type=code&state=&scope='
+      )
+    })
+    context('when authorizationUri contains query parameters', function () {
+      it('should preserve query string parameters', function () {
+        const authWithParams = new ClientOAuth2({
+          clientId: config.clientId,
+          clientSecret: config.clientSecret,
+          accessTokenUri: config.accessTokenUri,
+          authorizationUri: config.authorizationUri + '?bar=qux',
+          authorizationGrants: ['code'],
+          redirectUri: config.redirectUri,
+          scopes: 'notifications'
+        })
+        expect(authWithParams.code.getUri()).to.equal(
+          config.authorizationUri + '?bar=qux&client_id=abc&' +
+          'redirect_uri=http%3A%2F%2Fexample.com%2Fauth%2Fcallback&' +
+          'response_type=code&state=&scope=notifications'
+        )
+      })
+    })
   })
 
   describe('#getToken', function () {
@@ -36,6 +103,16 @@ describe('code', function () {
         })
     })
 
+    it('should request the token with body credentials', function () {
+      const opts = { clientCredentialsInBody: true }
+      return githubAuth.code.getToken(uri, opts)
+        .then(function (user) {
+          expect(user).to.an.instanceOf(ClientOAuth2.Token)
+          expect(user.accessToken).to.equal(config.accessToken)
+          expect(user.tokenType).to.equal('bearer')
+        })
+    })
+
     it('should reject with auth errors', function () {
       var errored = false
 

test/credentials.js

@@ -1,4 +1,4 @@
-/* global describe, it */
+/* global describe, it, context */
 var expect = require('chai').expect
 var config = require('./support/config')
 var ClientOAuth2 = require('../')
@@ -19,8 +19,62 @@ describe('credentials', function () {
           expect(user).to.an.instanceOf(ClientOAuth2.Token)
           expect(user.accessToken).to.equal(config.accessToken)
           expect(user.tokenType).to.equal('bearer')
+          expect(user.data.scope).to.equal('notifications')
         })
     })
+    context('when scopes are undefined', function () {
+      it('should not send scopes to an auth server', function () {
+        var authWithoutScopes = new ClientOAuth2({
+          clientId: config.clientId,
+          clientSecret: config.clientSecret,
+          accessTokenUri: config.accessTokenUri,
+          authorizationGrants: ['credentials']
+        })
+        return authWithoutScopes.credentials.getToken()
+          .then(function (user) {
+            expect(user).to.an.instanceOf(ClientOAuth2.Token)
+            expect(user.accessToken).to.equal(config.accessToken)
+            expect(user.tokenType).to.equal('bearer')
+            expect(user.data.scope).to.equal(undefined)
+          })
+      })
+    })
+    context('when scopes is an empty array', function () {
+      it('should send empty scope string to an auth server', function () {
+        var authWithoutScopes = new ClientOAuth2({
+          clientId: config.clientId,
+          clientSecret: config.clientSecret,
+          accessTokenUri: config.accessTokenUri,
+          authorizationGrants: ['credentials'],
+          scopes: []
+        })
+        return authWithoutScopes.credentials.getToken()
+          .then(function (user) {
+            expect(user).to.an.instanceOf(ClientOAuth2.Token)
+            expect(user.accessToken).to.equal(config.accessToken)
+            expect(user.tokenType).to.equal('bearer')
+            expect(user.data.scope).to.equal('')
+          })
+      })
+    })
+    context('when scopes is an empty string', function () {
+      it('should send empty scope string to an auth server', function () {
+        var authWithoutScopes = new ClientOAuth2({
+          clientId: config.clientId,
+          clientSecret: config.clientSecret,
+          accessTokenUri: config.accessTokenUri,
+          authorizationGrants: ['credentials'],
+          scopes: ''
+        })
+        return authWithoutScopes.credentials.getToken()
+          .then(function (user) {
+            expect(user).to.an.instanceOf(ClientOAuth2.Token)
+            expect(user.accessToken).to.equal(config.accessToken)
+            expect(user.tokenType).to.equal('bearer')
+            expect(user.data.scope).to.equal('')
+          })
+      })
+    })
 
     describe('#sign', function () {
       it('should be able to sign a standard request object', function () {