Mercurial > releases > comm-esr68 / changeset / 67b45a3d3df9b7d13f00dab4f7b4ce5473c24675
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1599054 - allow callers to ommit sending OAuth2 client_secret parameter. r+a=mkmelin
authorJohn Bieling <john.bieling@gmx.de>
Sun, 01 Dec 2019 12:52:35 +0200
changeset 36078 67b45a3d3df9b7d13f00dab4f7b4ce5473c24675
parent 36077 e2debb9918bb39aa210e704db9c2dc6d8d086eaa
child 36079 2c52c943f7d3d234ae4ec35356f387b5daa557cd
push id77
push usergeoff@darktrojan.net
push dateWed, 22 Jan 2020 22:22:48 +0000
treeherdercomm-esr68@72e751b740f1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1599054
Bug 1599054 - allow callers to ommit sending OAuth2 client_secret parameter. r+a=mkmelin
mailnews/base/util/OAuth2.jsm file | annotate | diff | comparison | revisions 
--- a/mailnews/base/util/OAuth2.jsm
+++ b/mailnews/base/util/OAuth2.jsm
@@ -11,17 +11,31 @@ var EXPORTED_SYMBOLS = ["OAuth2"];
 const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
 const { Log4Moz } = ChromeUtils.import("resource:///modules/gloda/log4moz.js");
 
 Cu.importGlobalProperties(["fetch"]);
 
 // Only allow one connecting window per endpoint.
 var gConnecting = {};
 
-function OAuth2(aBaseURI, aScope, aAppKey, aAppSecret) {
+/**
+ * Constructor for the OAuth2 object.
+ *
+ * @constructor
+ * @param {string} aBaseURI - The base URI for authentication and token
+ *   requests, oauth2/auth or oauth2/token will be added for the actual
+ *   requests.
+ * @param {?string} aScope - The scope as specified by RFC 6749 Section 3.3.
+ *   Will not be included in the requests if falsy.
+ * @param {string} aAppKey - The client_id as specified by RFC 6749 Section
+ *   2.3.1.
+ * @param {string} [aAppSecret=null] - The client_secret as specified in
+ *    RFC 6749 section 2.3.1. Will not be included in the requests if null.
+ */
+function OAuth2(aBaseURI, aScope, aAppKey, aAppSecret = null) {
   this.authURI = aBaseURI + "oauth2/auth";
   this.tokenURI = aBaseURI + "oauth2/token";
   this.consumerKey = aAppKey;
   this.consumerSecret = aAppSecret;
   this.scope = aScope;
   this.extraAuthParams = [];
 
   this.log = Log4Moz.getConfiguredLogger("TBOAuth");
@@ -196,17 +210,22 @@ OAuth2.prototype = {
    * @param {boolean} aRefresh - Whether it's a refresh of a token or not.
    */
   requestAccessToken(aCode, aRefresh) {
     // @see RFC 6749 section 4.1.3. Access Token Request
     // @see RFC 6749 section 6. Refreshing an Access Token
 
     let data = new URLSearchParams();
     data.append("client_id", this.consumerKey);
-    data.append("client_secret", this.consumerSecret);
+    if (this.consumerSecret !== null) {
+      // Section 2.3.1. of RFC 6749 states that empty secrets MAY be omitted
+      // by the client. This OAuth implementation delegates this decission to
+      // the caller: If the secret is null, it will be omitted.
+      data.append("client_secret", this.consumerSecret);
+    }
 
     if (aRefresh) {
       this.log.info(
         `Making a refresh request to the token endpoint: ${this.tokenURI}`
       );
       data.append("grant_type", "refresh_token");
       data.append("refresh_token", aCode);
     } else {
comm-esr68
Deployed from 80bb07ef5c17 at 2020-12-01T16:21:11Z.