[ESD-5519] Fix issue where authz header was overridden in code exchan…

…ge (#86) * Revert 82f1a0d which was overriding the Authz header and fix tests
auth0 · Apr 16, 2020 · e70153f · e70153f
1 parent e2feff2
commit e70153f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 9 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -78,9 +78,7 @@ async function get(config) {
     config.enableTelemetry && {'Auth0-Client': Buffer.from(JSON.stringify(telemetryHeader)).toString('base64')}
   );
 
-  client[custom.http_options] = function(options) {
-    return Object.assign({}, options, httpOptions);
-  };
+  custom.setHttpOptionsDefaults(httpOptions);
 
   client[custom.clock_tolerance] = config.clockTolerance;
 

diff --git a/test/client.tests.js b/test/client.tests.js
@@ -4,6 +4,8 @@ const { get: getClient } = require('../lib/client');
 const wellKnown = require('./fixture/well-known.json');
 const nock = require('nock');
 const pkg = require('../package.json');
+const sinon = require('sinon');
+const openidClient = require('openid-client');
 
 describe('client initialization', function() {
 
@@ -49,6 +51,18 @@ describe('client initialization', function() {
       assert.include( headerProps, 'user-agent');
       assert.equal( `express-openid-connect/${pkg.version}`, headers['user-agent']);
     });
+
+    it('should not strip new headers', async function() {
+      const response = await client.requestResource('https://test.auth0.com/introspection', 'token', {
+        method: 'POST',
+        headers: {
+          Authorization: 'Bearer foo',
+        }
+      });
+      const headerProps = Object.getOwnPropertyNames(JSON.parse(response.body));
+
+      assert.include(headerProps, 'authorization');
+    });
   });
 
   describe('custom headers', function() {
@@ -100,16 +114,20 @@ describe('client initialization', function() {
       enableTelemetry: false
     });
 
-    let client;
     before(async function() {
-      client = await getClient(config);
+      sinon.spy(openidClient.custom, 'setHttpOptionsDefaults');
+      await getClient(config);
     });
 
-    it('should send the correct default headers', async function() {
-      const headers = await client.introspect('__test_token__', '__test_hint__');
-      const headerProps = Object.getOwnPropertyNames(headers);
+    after(function() {
+      openidClient.custom.setHttpOptionsDefaults.restore();
+    });
 
-      assert.notInclude(headerProps, 'auth0-client');
+    it('should set the correct default headers', function() {
+      assert.doesNotHaveAnyKeys(
+        openidClient.custom.setHttpOptionsDefaults.firstCall.args[0].headers,
+        ['auth0-client']
+      );
     });
   });