Error handling for non-https

[alexdahl-okta]

tl;dr In the config for oktaUrl, I accidentally used http instead of https. The resulting error is obscure, and I had a hard time troubleshooting.

Steps to reproduce

1. Follow the OIDC setup to create a new organization and app
2. Follow the readme quick start, but use"oktaUrl": "http://{{yourOktaOrg}}.oktapreview.com" instead of https.
3. Run npm start and open localhost:3000.
4. Go to "Log in by redirecting to Okta" and click "Sign in".
5. Submit the Okta sign in form with your credentials

Result

"id_token could not be decoded from the response":

I tried to debug by printing the token. I searched my local source for the error message, found route-handlers.js:174, and added + json to the status message. This revealed a redirect message instead of a token:

Following the redirect link revealed a server error response:

I did not mentally connect this back to my config URL. It wasn't until I was comparing my config file with someone else's that I noticed the http/https difference.

Thanks to @nbarbettini for helping me debug!

Potential improvements

• Catch non-token responses and throw a more descriptive error. It's true that the token could not be decoded, but that's because it wasn't actually a JWT to start with.
• Use an https oktaUrl in the default .samples.config.json, to make safe copy-pastes that don't include the protocol. This might align with issue #14.
• Improve E0000022's documentation (or summary) to clearly state that https is required, not merely that http is not supported.

[nbarbettini]

Thanks for the great issue reporting @alexdahl-okta 😄

Another potential fix is inspecting the config at startup, and throwing a warning or error if the oktaUrl is http but NOT localhost.

[nbarbettini]

Since we rebuilt all these samples from scratch, I tested this again. If I use http instead of https in webServer.oidc.issuer in .samples.config.json, the app refuses to start with a cryptic error message:

C:\Users\Nate\Documents\code\samples-nodejs-express-4 [master ≡ +0 ~2 -0 !]> npm run okta-hosted-login-server
(node:18300) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): SyntaxError: Unexpected token < in JSON at position 0
(node:18300) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Since the config file now contains https by default, I don't think many people will run into this. Still, it'd be nice to output a warning if the issuer does not begin with https. And, if the discovery document can't be parsed, throw a meaningful error message.

cc @robertdamphousse-okta