How to pass data to allow/deny dialog? #86
Comments
|
No, it's a few lines down: https://github.com/jaredhanson/oauth2orize/blob/master/lib/middleware/authorization.js#L142 needs to happen somewhere around here too: https://github.com/jaredhanson/oauth2orize/blob/master/lib/middleware/authorization.js#L160 |
|
The |
|
Basically, you're comment:
Why are you passing in something for the nexted function? If you pass |
|
I didn't explain clearly. Here's a snippet: exports.authorization = [
login.ensureLoggedIn('/login.html')
, server.authorization(
function checkAppIdAndUrl(appId, redirectURI, scope, type, done) {
// for brevity, I cut out the code that actually checks
done(null, consumer, redirectURI);
}
, function checkAuthorizationAndScope(consumer, user, scope, done) {
utils.permissions.delta(user.id, consumer.appId, { scope: scope }, function (err, newScope, invalids, reqScope) {
var ares = {
newScope: newScope
, invalids: invalids
, rawScope: scope
, requestedScope: reqScope
}
;
// just a nasty hack until this issue is solved
// https://github.com/jaredhanson/oauth2orize/issues/86
scope.ares = ares;
// this third argument should be for options that get passed to the dialog
// for example, showing new scope to allow
if (0 === Object.keys(newScope).length) {
// nothing new to ask for
done(null, true, ares);
} else {
// there are new things to ask for
done(null, false, ares);
}
});
}
)
, function askUserToAllowScope(req, res /*, next*/) {
console.log('[render dialog]');
var client = req.oauth2.client
, authReq = req.oauth2.req
, scope = authReq.scope
;
client.logo = client.logo || '/images/app.png';
res.render('dialog', {
transactionId: req.oauth2.transactionID
, user: {
name: req.user.name
, photo: req.user.photo
}
, scope: scope
, permissions: utils.permissions.stringify(scope.ares)
, client: req.oauth2.client
, url: req.url
, body: req.body
});
}
];Since I'm already doing all of the work to parse the scope and lookup the permissions, I don't want to do it again. |
|
Ah, OK, gotcha. Yes, I'd be fine with a patch that lets you pass your results on to the next middleware. |
|
In testing my little 2-line change I ran into another problem that I'll want to fix in the same patch. After the user accepts the permissions dialog the next interaction is the grant code. This seems to be the logical place to save the scope that the user accepted would be in this function, however, server.grant(oauth2orize.grant.code(function (consumer, redirectURI, user, ares, done) {
console.log('[grant code]', consumer.appId, user.id);
console.log(consumer);
var code = consumer.appId + ':' + utils.uid(16)
, values = {
userId: user.id
, scope: ares.scope
, appId: consumer.appId
, redirectURI: redirectURI
, ts: Date.now()
}
;
console.log('[grant] values', consumer.appId, user.id);
console.log(values);
console.log('ares.keys()');
console.log(Object.keys(ares)); // only ['allow']
console.log('ares'); // { allow: true }
console.log(ares);
utils.permissions.set(user.id, consumer.appId, { scope: ares.scope });
db.authorizationCodes.save(code, values, function (err) {
if (err) { return done(err); }
done(null, code);
});
}));Eventually I may also need access to the form body of the permission form response, as I may add checkboxes for optional permissions. |
|
I think I found it here: https://github.com/jaredhanson/oauth2orize/blob/master/lib/middleware/decision.js#L74 parse = parse || function(req, done) { return done(null, req.oauth2.res); };testing... |
|
nope... that wasn't it. |
|
Yes, I need to digest this a bit further, but I'd be disinclined against anything that attempted to carry a "response" through the transaction before it has ended. |
|
If you need to attach something during the "fail, not immediate" case, I would attach it to oauth2.req.extra or something to that effect. That data would carry through the transaction in the session. |
|
I don't care what it's named as long as I can access it. Would you mind doing the honor if naming things as you see fit and I'll just pull from you until it lands in npm? |
|
I will, but you've got the immediate use case. If you want the patched merged soonish, I'm going to depend on you to get it to release quality. Otherwise it'll sit in my queue until I have time, which is not likely going to be soon. |
|
Alright then, I'll rename it to info and republish once I get back home. :-) |
|
The discussion has been had. The pull request is in. Closing this since it's linked to in the Pull Request. |
|
You need to put it in decision flow. <button class="btn btn-danger" type="submit" name="cancel" value="Deny">Deny Then in Post: app.route('/oauth/authorize') oauth-config: ... module.exports = { |
I'm looking at this function here:
https://github.com/jaredhanson/oauth2orize/blob/master/lib/middleware/authorization.js#L139
And you only assign
oauth2.reqin whenallowistrue. Shouldn't it be assigned in both cases?In my use case I check to see if the scope has new permissions or not.
If the scope does not required new permissions, I pass
allowastrue.If the scope does require permissions that are being requested for the first time, I set
allowasfalseand pass in an object containing information necessary fornexted function, which is the one that renders the allow / deny permission dialog.I'd like to patch it so that
req.oauth2.resis set even in thefalsecondition, or perhaps another variable name would be better?I'd be happy to submit a patch, I just need to know your thoughts on how this should be handled.
The text was updated successfully, but these errors were encountered: