refactor: use param-util for parameter type checks and conversions

Author: jankapunkt

lib/grant-types/authorization-code-grant-type.js

@@ -11,6 +11,9 @@ const InvalidRequestError = require('../errors/invalid-request-error');
 const ServerError = require('../errors/server-error');
 const isFormat = require('@node-oauth/formats');
 const pkce = require('../pkce/pkce');
+const { isDefined, toString, isInTypes } = require('../utils/param-util');
+const isStringOrNumber = isInTypes('string', 'number');
+const isString = isInTypes('string');
 
 /**
  * @class
@@ -73,15 +76,21 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
      */
 
   async getAuthorizationCode(request, client) {
-    if (!request.body.code) {
+    if (!isDefined(request.body.code)) {
       throw new InvalidRequestError('Missing parameter: `code`');
     }
 
-    if (!isFormat.vschar(request.body.code)) {
+    if (!isStringOrNumber(request.body.code)) {
       throw new InvalidRequestError('Invalid parameter: `code`');
     }
 
-    const code = await this.model.getAuthorizationCode(request.body.code);
+    const requestCode = toString(request.body.code);
+
+    if (!isFormat.vschar(requestCode)) {
+      throw new InvalidRequestError('Invalid parameter: `code`');
+    }
+
+    const code = await this.model.getAuthorizationCode(requestCode);
 
     if (!code) {
       throw new InvalidGrantError('Invalid grant: authorization code is invalid');
@@ -163,7 +172,7 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
 
     const redirectUri = request.body.redirect_uri || request.query.redirect_uri;
 
-    if (!redirectUri || !isFormat.uri(redirectUri)) {
+    if (!redirectUri || !isString(redirectUri) || !isFormat.uri(redirectUri)) {
       throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
     }
 

lib/grant-types/password-grant-type.js

@@ -9,6 +9,8 @@ const InvalidArgumentError = require('../errors/invalid-argument-error');
 const InvalidGrantError = require('../errors/invalid-grant-error');
 const InvalidRequestError = require('../errors/invalid-request-error');
 const isFormat = require('@node-oauth/formats');
+const { isDefined, isInTypes } = require('../utils/param-util');
+const isString = isInTypes('string');
 
 /**
  * Constructor.
@@ -58,19 +60,19 @@ class PasswordGrantType extends AbstractGrantType {
 	 */
 
   async getUser(request, client) {
-    if (!request.body.username) {
+    if (!isDefined(request.body.username)) {
       throw new InvalidRequestError('Missing parameter: `username`');
     }
 
-    if (!request.body.password) {
+    if (!isDefined(request.body.password)) {
       throw new InvalidRequestError('Missing parameter: `password`');
     }
 
-    if (!isFormat.uchar(request.body.username)) {
+    if (!isString(request.body.username) || !isFormat.uchar(request.body.username)) {
       throw new InvalidRequestError('Invalid parameter: `username`');
     }
 
-    if (!isFormat.uchar(request.body.password)) {
+    if (!isString(request.body.password) || !isFormat.uchar(request.body.password)) {
       throw new InvalidRequestError('Invalid parameter: `password`');
     }
 

lib/grant-types/refresh-token-grant-type.js

@@ -11,6 +11,8 @@ const InvalidRequestError = require('../errors/invalid-request-error');
 const ServerError = require('../errors/server-error');
 const isFormat = require('@node-oauth/formats');
 const InvalidScopeError = require('../errors/invalid-scope-error');
+const { isInTypes, toString, isDefined } = require('../utils/param-util');
+const isStringOrNumber = isInTypes('string', 'number');
 
 /**
  * Constructor.
@@ -64,17 +66,22 @@ class RefreshTokenGrantType extends AbstractGrantType {
   /**
 	 * Get refresh token.
 	 */
-
   async getRefreshToken(request, client) {
-    if (!request.body.refresh_token) {
+    if (!isDefined(request.body.refresh_token)) {
       throw new InvalidRequestError('Missing parameter: `refresh_token`');
     }
 
-    if (!isFormat.vschar(request.body.refresh_token)) {
+    if (!isStringOrNumber(request.body.refresh_token)) {
+      throw new InvalidRequestError('Invalid parameter: `refresh_token`');
+    }
+
+    const refreshToken = toString(request.body.refresh_token);
+
+    if (!isFormat.vschar(refreshToken)) {
       throw new InvalidRequestError('Invalid parameter: `refresh_token`');
     }
 
-    const token = await this.model.getRefreshToken(request.body.refresh_token);
+    const token = await this.model.getRefreshToken(refreshToken);
 
     if (!token) {
       throw new InvalidGrantError('Invalid grant: refresh token is invalid');

lib/handlers/authorize-handler.js

@@ -21,6 +21,9 @@ const tokenUtil = require('../utils/token-util');
 const url = require('url');
 const pkce = require('../pkce/pkce');
 const { parseScope } = require('../utils/scope-util');
+const { isDefined, isInTypes } = require('../utils/param-util');
+const isString = isInTypes('string');
+const isStringOrNumber = isInTypes('string', 'number');
 
 /**
  * Response types.
@@ -160,17 +163,17 @@ class AuthorizeHandler {
     const self = this;
     const clientId = request.body.client_id || request.query.client_id;
 
-    if (!clientId) {
+    if (!isDefined(clientId)) {
       throw new InvalidRequestError('Missing parameter: `client_id`');
     }
 
-    if (!isFormat.vschar(clientId)) {
+    if (!isStringOrNumber(clientId) || !isFormat.vschar(clientId)) {
       throw new InvalidRequestError('Invalid parameter: `client_id`');
     }
 
     const redirectUri = request.body.redirect_uri || request.query.redirect_uri;
 
-    if (redirectUri && !isFormat.uri(redirectUri)) {
+    if (isDefined(redirectUri) && (!isString(redirectUri) || !isFormat.uri(redirectUri))) {
       throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
     }
 
@@ -236,7 +239,7 @@ class AuthorizeHandler {
 
   getState (request) {
     const state = request.body.state || request.query.state;
-    const stateExists = state && state.length > 0;
+    const stateExists = isString(state) && state.length > 0;
     const stateIsValid = stateExists
       ? isFormat.vschar(state)
       : this.allowEmptyState;

lib/utils/param-util.js

@@ -0,0 +1,54 @@
+'use strict';
+
+/**
+ * @module StringUtil
+ */
+
+/**
+ * Create a function to check, whether a value is one of the given types.
+ * @param types {...string[]}
+ * @return {function(*): boolean}
+ */
+function isInTypes (...types) {
+  return function (value) {
+    return types.includes(typeof value);
+  };
+}
+
+/**
+ * Check if a value is defined (not missing)
+ * @param value
+ * @return {boolean}
+ */
+function isDefined (value) {
+  // TODO: in future versions, consider changing this to `value !== undefined && value !== null && value !== ''`,
+  //   which might be a breaking changes for some users
+  return !!value;
+}
+
+/**
+ * Safely converts a value to a string in the following order:
+ * - If the value is already a string, return it.
+ * - If the value has a `toString` method, call it and return the result.
+ * - If the value is `null` or `undefined`, return an empty string.
+ * - Otherwise, use the global `String` function to convert the value.
+ * @param value {*}
+ * @return {string}
+ */
+function toString(value) {
+  if (typeof value === 'string') {
+    return value;
+  }
+
+  if (Object.prototype.hasOwnProperty.call(value, 'toString')) {
+    return value.toString();
+  }
+
+  if (value === null || value === undefined) {
+    return '';
+  }
+
+  return String(value);
+}
+
+module.exports = { isInTypes, isDefined, toString };

test/integration/grant-types/refresh-token-grant-type_test.js

@@ -187,22 +187,49 @@ describe('RefreshTokenGrantType integration', function() {
 
   describe('getRefreshToken()', function() {
     it('should throw an error if the `refreshToken` parameter is missing from the request body', async function() {
+      const client = {};
+      const model = Model.from({
+        getRefreshToken: () => should.fail(),
+        revokeToken: () => should.fail(),
+        saveToken: () => should.fail()
+      });
+      const values = [null, undefined];
+
+      for (const value of values) {
+        const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model });
+        const request = new Request({ body: { refresh_token: value }, headers: {}, method: {}, query: {} });
+
+        try {
+          await grantType.getRefreshToken(request, client);
+
+          should.fail();
+        } catch (e) {
+          e.should.be.an.instanceOf(InvalidRequestError);
+          e.message.should.equal('Missing parameter: `refresh_token`');
+        }
+      }
+    });
+
+    it('should throw an error if `refreshToken` is not a valid format', async () => {
       const client = {};
       const model = Model.from({
         getRefreshToken: () => should.fail(),
         revokeToken: () => should.fail(),
         saveToken: () => should.fail()
       });
       const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model });
-      const request = new Request({ body: {}, headers: {}, method: {}, query: {} });
+      const values = ['toke😇n', () => {}, [], Symbol('test')];
 
-      try {
-        await grantType.getRefreshToken(request, client);
+      for (const value of values) {
+        const request = new Request({ body: { refresh_token: value }, headers: {}, method: {}, query: {} });
+        try {
+          await grantType.getRefreshToken(request, client);
 
-        should.fail();
-      } catch (e) {
-        e.should.be.an.instanceOf(InvalidRequestError);
-        e.message.should.equal('Missing parameter: `refresh_token`');
+          should.fail();
+        } catch (e) {
+          e.should.be.an.instanceOf(InvalidRequestError);
+          e.message.should.equal('Invalid parameter: `refresh_token`');
+        }
       }
     });
 
@@ -233,6 +260,7 @@ describe('RefreshTokenGrantType integration', function() {
         revokeToken: () => should.fail(),
         saveToken: () => should.fail()
       });
+
       const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model });
       const request = new Request({ body: { refresh_token: '12345' }, headers: {}, method: {}, query: {} });
 
@@ -255,16 +283,20 @@ describe('RefreshTokenGrantType integration', function() {
         revokeToken: () => should.fail(),
         saveToken: () => should.fail()
       });
-      const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model });
-      const request = new Request({ body: { refresh_token: '12345' }, headers: {}, method: {}, query: {} });
 
-      try {
-        await grantType.getRefreshToken(request, client);
+      const values = [12345, '12345'];
+      for (const value of values) {
+        const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model });
+        const request = new Request({ body: { refresh_token: value }, headers: {}, method: {}, query: {} });
 
-        should.fail();
-      } catch (e) {
-        e.should.be.an.instanceOf(ServerError);
-        e.message.should.equal('Server error: `getRefreshToken()` did not return a `user` object');
+        try {
+          await grantType.getRefreshToken(request, client);
+
+          should.fail();
+        } catch (e) {
+          e.should.be.an.instanceOf(ServerError);
+          e.message.should.equal('Server error: `getRefreshToken()` did not return a `user` object');
+        }
       }
     });