fix(handlers): skip varcheck for state when allowEmptyState

node-oauth · Nov 29, 2021 · 4ca8032 · 4ca8032
1 parent 5f2b0bb
commit 4ca8032
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
@@ -238,13 +238,14 @@ AuthorizeHandler.prototype.getScope = function(request) {
 
 AuthorizeHandler.prototype.getState = function(request) {
  const state = request.body.state || request.query.state;
-
- if (!this.allowEmptyState && !state) {
- throw new InvalidRequestError('Missing parameter: `state`');
- }
-
- if (!is.vschar(state)) {
- throw new InvalidRequestError('Invalid parameter: `state`');
+ const stateExists = state && state.length > 0;
+ const stateIsValid = stateExists
+ ? is.vschar(state)
+ : this.allowEmptyState;
+
+ if (!stateIsValid) {
+ const message = (!stateExists) ? 'Missing' : 'Invalid';
+ throw new InvalidRequestError(`${message} parameter: \`state\``);
  }
 
  return state;

diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js
@@ -932,6 +932,18 @@ describe('AuthorizeHandler integration', function() {
  }
  });
 
+ it('should allow missing `state` if `allowEmptyState` is valid', function () {
+ const model = {
+ getAccessToken: function() {},
+ getClient: function() {},
+ saveAuthorizationCode: function() {}
+ };
+ const handler = new AuthorizeHandler({ allowEmptyState: true, authorizationCodeLifetime: 120, model: model });
+ const request = new Request({ body: {}, headers: {}, method: {}, query: {} });
+ const state = handler.getState(request);
+ should.equal(state, undefined);
+ });
+
  it('should throw an error if `state` is invalid', function() {
  const model = {
  getAccessToken: function() {},