Merge pull request #30 from camfou/fix-stash-unstash-params

fix(delegation): dont use REDIS to store initial connectParams
camfou · May 21, 2021 · 16c8fca · 16c8fca
2 parents ce5f2e0 + 36358b8
commit 16c8fca
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 45 deletions.
diff --git a/oidc/stashParams.js b/oidc/stashParams.js
@@ -1,29 +1,13 @@
-/**
- * Module dependencies
- */
-
-var crypto = require('crypto')
-var client = require('../boot/redis').getClient()
-
 /**
  * Stash authorization params
  */
 
 function stashParams (req, res, next) {
-  var id = crypto.randomBytes(10).toString('hex')
-  var key = 'authorization:' + id
-  var ttl = 1200 // 20 minutes
-  var params = JSON.stringify(req.connectParams)
-  var multi = client.multi()
-
+  const params = JSON.stringify(req.connectParams)
+  const id = Buffer.from(params).toString('base64')
   req.session.state = id
   req.authorizationId = id
-
-  multi.set(key, params)
-  multi.expire(key, ttl)
-  multi.exec(function (err) {
-    return next(err)
-  })
+  next()
 }
 
 /**

diff --git a/oidc/unstashParams.js b/oidc/unstashParams.js
@@ -1,10 +1,4 @@
-/**
- * Module dependencies
- */
-
-var client = require('../boot/redis').getClient()
-var MissingStateError = require('../errors/MissingStateError')
-var ExpiredAuthorizationRequestError = require('../errors/ExpiredAuthorizationRequestError')
+const MissingStateError = require('../errors/MissingStateError')
 
 /**
  * Unstash authorization params
@@ -13,27 +7,13 @@ var ExpiredAuthorizationRequestError = require('../errors/ExpiredAuthorizationRe
 function unstashParams (req, res, next) {
   // OAuth 2.0 callbacks should have a state param
   // OAuth 1.0 must use the session to store the state value
-  var id = req.query.state || req.session.state
-  var key = 'authorization:' + id
-
-  if (!id) { // && request is OAuth 2.0
+  const base64state = req.query.state || req.session.state
+  if (!base64state) { // && request is OAuth 2.0
     return next(new MissingStateError())
   }
-
-  client.get(key, function (err, params) {
-    if (err) { return next(err) }
-
-    // This handles expired and mismatching state params
-    if (!params) { return next(new ExpiredAuthorizationRequestError()) }
-
-    try {
-      req.connectParams = JSON.parse(params)
-    } catch (err) {
-      next(err)
-    }
-
-    next()
-  })
+  const params = Buffer.from(base64state, 'base64').toString('ascii')
+  req.connectParams = JSON.parse(params)
+  next()
 }
 
 /**