ConsumerStrategy and TokenStrategy default host support (useful when the server is accessed by proxy or load balancer)

Author: harrisiirak

lib/passport-http-oauth/strategies/consumer.js

@@ -55,7 +55,7 @@ var passport = require('passport')
  * `authInfo` will contain the following properties:
  *
  *     scheme             always set to `OAuth`
- *     oauth.callbackURL  URL to redirect the user to after authorization 
+ *     oauth.callbackURL  URL to redirect the user to after authorization
  *
  * When the consumer is making a request to the access token endpoint,
  * `authInfo` will contain the following properties (in addition to any optional
@@ -117,14 +117,13 @@ function ConsumerStrategy(options, consumer, token, validate) {
   if (!consumer) throw new Error('HTTP OAuth consumer authentication strategy requires a consumer function');
   if (!token) throw new Error('HTTP OAuth consumer authentication strategy requires a token function');
 
-  // TODO: Add option to default host if its not in the request header.
-
   passport.Strategy.call(this);
   this.name = 'oauth';
   this._consumer = consumer;
   this._token = token;
   this._validate = validate;
   this._realm = options.realm || 'Clients';
+  this._host = options.host || null;
 }
 
 /**
@@ -142,13 +141,13 @@ util.inherits(ConsumerStrategy, passport.Strategy);
 ConsumerStrategy.prototype.authenticate = function(req) {
   var params = undefined
     , header = null;
-  
+
   if (req.headers && req.headers['authorization']) {
     var parts = req.headers['authorization'].split(' ');
     if (parts.length == 2) {
       var scheme = parts[0]
         , credentials = parts[1];
-        
+
       if (/OAuth/i.test(scheme)) {
         params = utils.parseHeader(credentials);
         header = params;
@@ -157,28 +156,28 @@ ConsumerStrategy.prototype.authenticate = function(req) {
       return this.fail(400);
     }
   }
-  
+
   if (req.body && req.body['oauth_signature']) {
     if (params) { return this.fail(400); }
     params = req.body;
   }
-  
+
   if (req.query && req.query['oauth_signature']) {
     if (params) { return this.fail(400); }
     token = req.query['access_token'];
     params = req.query;
   }
-  
+
   if (!params) { return this.fail(this._challenge()); }
-  
+
   if (!params['oauth_consumer_key'] ||
       !params['oauth_signature_method'] ||
       !params['oauth_signature'] ||
       !params['oauth_timestamp'] ||
       !params['oauth_nonce']) {
     return this.fail(this._challenge('parameter_absent'), 400);
   }
-  
+
   var consumerKey = params['oauth_consumer_key']
     , requestToken = params['oauth_token']
     , signatureMethod = params['oauth_signature_method']
@@ -188,17 +187,17 @@ ConsumerStrategy.prototype.authenticate = function(req) {
     , callback = params['oauth_callback']
     , verifier = params['oauth_verifier']
     , version = params['oauth_version']
-    
+
   if (version && version !== '1.0') {
     return this.fail(this._challenge('version_rejected'), 400);
   }
-  
-  
+
+
   var self = this;
   this._consumer(consumerKey, function(err, consumer, consumerSecret) {
     if (err) { return self.error(err); }
     if (!consumer) { return self.fail(self._challenge('consumer_key_rejected')); }
-    
+
     if (!requestToken) {
       // If no `oauth_token` is present, the consumer is attempting to abtain
       // a request token.  Validate the request using only the consumer key
@@ -215,22 +214,22 @@ ConsumerStrategy.prototype.authenticate = function(req) {
         var info = {};
         info.scheme = 'OAuth';
         info.oauth = { callbackURL: callback }
-        
+
         // WARNING: If the consumer is not using OAuth 1.0a, the
         //          `oauth_callback` parameter will not be present.  Instead, it
         //          will be supplied when the consumer redirects the user to the
         //          service provider when obtaining authorization.  A service
         //          provider that unconditionally accepts a URL during this
         //          phase may be inadvertently assisting in session fixation
         //          attacks, as described here:
-        // 
+        //
         //          http://oauth.net/advisories/2009-1/
         //          http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
         //
         //          Service providers are encouraged to implement monitoring to
         //          detect potential attacks, and display advisory notices to
         //          users.
-        
+
         return self.success(consumer, info);
       });
     } else {
@@ -249,41 +248,41 @@ ConsumerStrategy.prototype.authenticate = function(req) {
       self._token(requestToken, function(err, tokenSecret, info) {
         if (err) { return self.error(err); }
         if (!tokenSecret) { return self.fail(self._challenge('token_rejected')); }
-        
+
         validate(tokenSecret, function() {
           info = info || {};
           info.scheme = 'OAuth';
           info.oauth = { token: requestToken, verifier: verifier }
-          
+
           // WARNING: If the consumer is not using OAuth 1.0a, the
           //          `oauth_verifier` parameter will not be present.  This
           //          makes it impossible to know if the user who authorized the
           //          request token is the same user returning to the
           //          application, as described here:
           //
           //          http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
-          
+
           return self.success(consumer, info);
         });
       });
     }
-    
+
     function validate(tokenSecret, ok) {
-      var url = utils.originalURL(req)
+      var url = utils.originalURL(self._host, req)
         , query = req.query
         , body = req.body;
-      
+
       var sources = [ header, query ];
-      if (req.headers['content-type'] && 
+      if (req.headers['content-type'] &&
           req.headers['content-type'].slice(0, 'application/x-www-form-urlencoded'.length) ===
               'application/x-www-form-urlencoded') {
         sources.push(body);
       }
-      
+
       var normalizedURL = utils.normalizeURI(url)
         , normalizedParams = utils.normalizeParams.apply(undefined, sources)
         , base = utils.constructBaseString(req.method, normalizedURL, normalizedParams);
-      
+
       if (signatureMethod == 'HMAC-SHA1') {
         var key = consumerSecret + '&';
         if (tokenSecret) { key += tokenSecret; }
@@ -301,7 +300,7 @@ ConsumerStrategy.prototype.authenticate = function(req) {
       } else {
         return self.fail(self._challenge('signature_method_rejected'), 400);
       }
-      
+
       // If execution reaches this point, the request signature has been
       // verified and authentication is successful.
       if (self._validate) {
@@ -335,12 +334,12 @@ ConsumerStrategy.prototype._challenge = function(problem, advice) {
   if (advice && advice.length) {
     challenge += ', oauth_problem_advice="' + utils.encode(advice) + '"';
   }
-  
+
   return challenge;
 }
 
 
 /**
  * Expose `TokenStrategy`.
- */ 
+ */
 module.exports = ConsumerStrategy;

lib/passport-http-oauth/strategies/token.js

@@ -109,14 +109,13 @@ function TokenStrategy(options, consumer, verify, validate) {
   if (!consumer) throw new Error('HTTP OAuth token authentication strategy requires a consumer function');
   if (!verify) throw new Error('HTTP OAuth token authentication strategy requires a verify function');
 
-  // TODO: Add option to default host if its not in the request header.
-
   passport.Strategy.call(this);
   this.name = 'oauth';
   this._consumer = consumer;
   this._verify = verify;
   this._validate = validate;
   this._realm = options.realm || 'Users';
+  this._host = options.host || null;
 }
 
 /**
@@ -134,13 +133,13 @@ util.inherits(TokenStrategy, passport.Strategy);
 TokenStrategy.prototype.authenticate = function(req) {
   var params = undefined
     , header = null;
-  
+
   if (req.headers && req.headers['authorization']) {
     var parts = req.headers['authorization'].split(' ');
     if (parts.length == 2) {
       var scheme = parts[0]
         , credentials = parts[1];
-        
+
       if (/OAuth/i.test(scheme)) {
         params = utils.parseHeader(credentials);
         header = params;
@@ -149,20 +148,20 @@ TokenStrategy.prototype.authenticate = function(req) {
       return this.fail(400);
     }
   }
-  
+
   if (req.body && req.body['oauth_signature']) {
     if (params) { return this.fail(400); }
     params = req.body;
   }
-  
+
   if (req.query && req.query['oauth_signature']) {
     if (params) { return this.fail(400); }
     token = req.query['access_token'];
     params = req.query;
   }
-  
+
   if (!params) { return this.fail(this._challenge()); }
-  
+
   if (!params['oauth_consumer_key'] ||
       !params['oauth_token'] ||
       !params['oauth_signature_method'] ||
@@ -171,68 +170,68 @@ TokenStrategy.prototype.authenticate = function(req) {
       !params['oauth_nonce']) {
     return this.fail(this._challenge('parameter_absent'), 400);
   }
-  
+
   var consumerKey = params['oauth_consumer_key']
     , accessToken = params['oauth_token']
     , signatureMethod = params['oauth_signature_method']
     , signature = params['oauth_signature']
     , timestamp = params['oauth_timestamp']
     , nonce = params['oauth_nonce']
     , version = params['oauth_version']
-    
+
   if (version && version !== '1.0') {
     return this.fail(this._challenge('version_rejected'), 400);
   }
-  
+
   var self = this;
   this._consumer(consumerKey, function(err, consumer, consumerSecret) {
     if (err) { return self.error(err); }
     if (!consumer) { return self.fail(self._challenge('consumer_key_rejected')); }
-    
+
     self._verify(accessToken, verified);
-    
+
     function verified(err, user, tokenSecret, info) {
       if (err) { return self.error(err); }
       if (!user) { return self.fail(self._challenge('token_rejected')); }
-      
+
       info = info || {};
       info.scheme = 'OAuth';
       info.client =
       info.consumer = consumer;
-      
-      var url = utils.originalURL(req)
+
+      var url = utils.originalURL(self._host, req)
         , query = req.query
         , body = req.body;
-      
+
       var sources = [ header, query ];
-      if (req.headers['content-type'] && 
+      if (req.headers['content-type'] &&
           req.headers['content-type'].slice(0, 'application/x-www-form-urlencoded'.length) ===
               'application/x-www-form-urlencoded') {
         sources.push(body);
       }
-      
+
       var normalizedURL = utils.normalizeURI(url)
         , normalizedParams = utils.normalizeParams.apply(undefined, sources)
         , base = utils.constructBaseString(req.method, normalizedURL, normalizedParams);
-      
+
       if (signatureMethod == 'HMAC-SHA1') {
         var key = consumerSecret + '&';
         if (tokenSecret) { key += tokenSecret; }
         var computedSignature = utils.hmacsha1(key, base);
-        
+
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }
       } else if (signatureMethod == 'PLAINTEXT') {
         var computedSignature = utils.plaintext(consumerSecret, tokenSecret);
-        
+
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }
       } else{
         return self.fail(self._challenge('signature_method_rejected'), 400);
       }
-      
+
       // If execution reaches this point, the request signature has been
       // verified and authentication is successful.
       if (self._validate) {
@@ -273,5 +272,5 @@ TokenStrategy.prototype._challenge = function(problem, advice) {
 
 /**
  * Expose `TokenStrategy`.
- */ 
+ */
 module.exports = TokenStrategy;

lib/passport-http-oauth/strategies/utils.js

@@ -20,12 +20,12 @@ var url = require('url')
  * @return {String}
  * @api private
  */
-exports.originalURL = function(req) {
+exports.originalURL = function(defaultHost, req) {
   var headers = req.headers
     , protocol = (req.connection.encrypted || req.headers['x-forwarded-proto'] == 'https')
                ? 'https'
                : 'http'
-    , host = headers.host
+    , host = defaultHost || headers.host
     , path = req.url || '';
   return protocol + '://' + host + path;
 };
@@ -43,13 +43,13 @@ exports.originalURL = function(req) {
 exports.parseHeader = function(credentials) {
   var params = {}
     , comps = credentials.match(/(\w+)="([^"]+)"/g);
-  
+
   if (comps) {
     for (var i = 0, len = comps.length; i < len; i++) {
       var comp = /(\w+)="([^"]+)"/.exec(comps[i])
         , name = exports.decode(comp[1])
         , val = exports.decode(comp[2]);
-        
+
       // Some clients (I'm looking at you request) erroneously add non-protocol
       // params to the `Authorization` header.  This check filters those params
       // out.  It also filters out the `realm` parameter, which is valid to
@@ -159,7 +159,7 @@ exports.normalizeParams = function(header, query, body) {
     });
   }
   mh.del('oauth_signature');
-  
+
   var normalizedParams = [];
   mh.keys().sort().forEach(function(key) {
     mh.values(key).sort().forEach(function(val) {