MattTannahill
commented
9 years ago Maybe this should be its own strategy so that it does not create false positives when coders do not properly implement verify?
Closed MattTannahill closed 9 years ago
MattTannahill
commented
9 years ago Maybe this should be its own strategy so that it does not create false positives when coders do not properly implement verify?
Sorry. I meant to submit a pull request for issue #8. I was having issues with NPM that night, so I couldn't make the tests. I didn't feel comfortable submitting a pull request while I couldn't verify that the tests still passed.
For context, I am using this to protect the /token end point of an OAuth2orize server. I'm authenticating a call from a public client (a Cordova/PhoneGap app). Because the client is public, the client does not have a secret. Per the OAuth 2.0 framework specification, this is acceptable. However, the client is required to provide a client ID in the body if it does not have a secret. Furthermore, OAuth2orize requires a client to be deserialized and added to the request object before running server.token(). This is still possible if the client ID is provided in the body.
To conform with the OAuth 2.0 framework, the secret must be optional.