The oAuth flow now validates if the client is a trusted one, if trusted, then the required parameters are added to the req object and the authorization dialog is skipped. For not trusted clients the dialog is displayed so the user can "Allow" or "Reject" permissions.
app.get('/oauth/authorize',
login.ensureLoggedIn(),
server.authorize(function(clientId, redirectURI, done) {
Client.findOne({clientId: clientId}, function(err, client) {
if (err) { return done(err); }
if (!client) { return done(null, false); }
if (client.redirectURI != redirectURI) { return done(null, false); }
return done(null, client, client.redirectURI);
});
}),
function(req, res, next){
// TRUSTED CLIENT
// if client is trusted, skip ahead to next,
// which is the server.decision() function
// that normally is called when you post the auth dialog form
if (req.oauth2.client.trusted) {
// add needed params to simulate auth dialog being posted
req.trusted = true;
req.body = req.query;
req.body.transaction_id = req.oauth2.transactionID;
return next();
}
return res.render('dialog', {
transactionID: req.oauth2.transactionID,
user: req.user,
client: req.oauth2.client,
jwtToken: req.query.token
});
},
// We added this 2 methods here in case the form is skipped (TRUSTED CLIENT)
server.decision(),
server.errorHandler()
);
lucj
commented
7 years ago
Addressing issue #9.
The oAuth flow now validates if the client is a trusted one, if trusted, then the required parameters are added to the req object and the authorization dialog is skipped. For not trusted clients the dialog is displayed so the user can "Allow" or "Reject" permissions.