search

havard / node-openid

OpenID for Node.js
MIT License
293 stars 100 forks source link

.verifyAssertion doesn't work #185

Closed thecookieswhoplays closed 1 year ago

thecookieswhoplays commented 1 year ago

Hi, so I am trying to auth a use with steam with this endpoint

  const callback = req.query.callback;
  if (!callback) res.status(400).send("Callback is missing try to relogin.");
  const relyingParty = new openid.RelyingParty(
    `${req.protocol}://${req.get(
      "host"
    )}/api/auth/return/?callback=${callback}`,
    `${req.protocol}://${req.get("host")}`,
    true,
    true
  );
  const returnto = req.query["openid.return_to"];
  console.log(returnto);
  console.log(url.parse(returnto, true));
  console.log(`${req.protocol}://${req.get("host")}${req.url}}`);
  relyingParty.verifyAssertion(req.url, function (err, result) {
    if (err) {
      console.error(err);
      return res.status(500).send(err.message);
    }

    if (!result || !result.authenticated)
      return res.status(500).send("Failed to authenticate user.");
    if (
      !/^https?:\/\/steamcommunity\.com\/openid\/id\/\d+$/.test(
        result.claimedIdentifier
      )
    )
      return res.status(500).send("Claimed identity is not valid.");
    fetchIdentifier(result.claimedIdentifier)
      .then(function (user) {
        return res.status(200).json(user);
      })
      .catch(function (err) {
        next(err);
      });
  });
});

but I keep getting invalid url for context here is what it prints 

Url {
  protocol: 'http:',
  slashes: true,
  auth: null,
  host: 'localhost:6969',
  port: '6969',
  hostname: 'localhost',
  hash: null,
  search: '?callback=http://localhost:6969/inventory',
  query: [Object: null prototype] {
    callback: 'http://localhost:6969/inventory'
  },
  pathname: '/api/auth/return',
  path: '/api/auth/return?callback=http://localhost:6969/inventory',
  href: 'http://localhost:6969/api/auth/return?callback=http://localhost:6969/inventory'
}
http://localhost:6969/api/auth/return?callback=http://localhost:6969/inventory&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Flogin&openid.claimed_id=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561198864826098&openid.identity=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561198864826098&openid.return_to=http%3A%2F%2Flocalhost%3A6969%2Fapi%2Fauth%2Freturn%3Fcallback%3Dhttp%3A%2F%2Flocalhost%3A6969%2Finventory&openid.response_nonce=2023-04-03T05%3A09%3A57Zo%2FvfhTT9EuE0TSbYtvY5GywmG00%3D&openid.assoc_handle=1234567890&openid.signed=signed%2Cop_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=FIT%2F9WJ9V37HS2a2oyjm8fyyEHE%3D}
{ message: 'Invalid return URL' }

I went through the source code a little and I ma guessing that it's a problem with the query parameters checking

havard commented 1 year ago

Sorry for the very late response here. New standards have replaced the OpenID 2.0 specification, which should now be considered obsolete. You should take a look at OpenID Connect, and maybe https://openid.net/specs/openid-connect-migration-1_0.html.

To answer your question: If they are different, they are different. The original return_to URL and the return_to URL in the assertion must match (scheme/host/path), and the assertion and the return_to URL must have the same parameters present with the same values.

havard commented 1 year ago

Closing this as not a bug.