diff --git a/lib/swagger-oauth.js b/lib/swagger-oauth.js
index 576fcd33bf9..30646386476 100644
--- a/lib/swagger-oauth.js
+++ b/lib/swagger-oauth.js
@@ -4,6 +4,7 @@ var popupDialog;
var clientId;
var realm;
var redirect_uri;
+var state;
var clientSecret;
var scopeSeparator;
var additionalQueryStringParams;
@@ -11,25 +12,33 @@ var additionalQueryStringParams;
function handleLogin() {
var scopes = [];
- var auths = window.swaggerUi.api.authSchemes || window.swaggerUi.api.securityDefinitions;
+ var auths = window.swaggerUi.api.authSchemes || window.swaggerUi.api.securityDefinitions,
+ passwordFlow = false;
+
if(auths) {
var key;
var defs = auths;
for(key in defs) {
var auth = defs[key];
- if(auth.type === 'oauth2' && auth.scopes) {
- var scope;
- if(Array.isArray(auth.scopes)) {
- // 1.2 support
- var i;
- for(i = 0; i < auth.scopes.length; i++) {
- scopes.push(auth.scopes[i]);
+ if(auth.type === 'oauth2') {
+ passwordFlow = auth.flow === 'password';
+
+ if (auth.scopes) {
+ var scope;
+ if(Array.isArray(auth.scopes)) {
+ // 1.2 support
+ var i;
+ for(i = 0; i < auth.scopes.length; i++) {
+ scope = auth.scopes[i];
+ scope.OAuthSchemeKey = key;
+ scopes.push(scope);
+ }
}
- }
- else {
- // 2.0 support
- for(scope in auth.scopes) {
- scopes.push({scope: scope, description: auth.scopes[scope], OAuthSchemeKey: key});
+ else {
+ // 2.0 support
+ for(scope in auth.scopes) {
+ scopes.push({scope: scope, description: auth.scopes[scope], OAuthSchemeKey: key});
+ }
}
}
}
@@ -41,29 +50,46 @@ function handleLogin() {
appName = window.swaggerUi.api.info.title;
}
- $('.api-popup-dialog').remove();
- popupDialog = $(
- [
- ''].join(''));
+ $('.api-popup-dialog').remove();
+
+ popupDialog = ['']).join(''));
+
$(document.body).append(popupDialog);
//TODO: only display applicable scopes (will need to pass them into handleLogin)
popup = popupDialog.find('ul.api-popup-scopes').empty();
for (i = 0; i < scopes.length; i ++) {
scope = scopes[i];
- str = '' + scope.scope ;
+ str = '' + scope.scope ;
if (scope.description) {
if ($.map(auths, function(n, i) { return i; }).length > 1) //if we have more than one scheme, display schemes
str += '' + scope.description + ' ('+ scope.OAuthSchemeKey+')' +' ';
@@ -101,78 +127,77 @@ function handleLogin() {
popupDialog.hide();
var authSchemes = window.swaggerUi.api.authSchemes;
+
var host = window.location;
var pathname = location.pathname.substring(0, location.pathname.lastIndexOf("/"));
var defaultRedirectUrl = host.protocol + '//' + host.host + pathname + '/o2c.html';
var redirectUrl = window.oAuthRedirectUrl || defaultRedirectUrl;
- var url = null;
- var scopes = []
- var o = popup.find('input:checked');
+ var scopes = [];
+ var o = popup.find('input:checked');
var OAuthSchemeKeys = [];
- var state;
for(k =0; k < o.length; k++) {
var scope = $(o[k]).attr('scope');
if (scopes.indexOf(scope) === -1)
scopes.push(scope);
- var OAuthSchemeKey = $(o[k]).attr('oauthtype');
+ var OAuthSchemeKey = $(o[k]).attr('oauthtype');
if (OAuthSchemeKeys.indexOf(OAuthSchemeKey) === -1)
- OAuthSchemeKeys.push(OAuthSchemeKey);
+ OAuthSchemeKeys.push(OAuthSchemeKey);
}
-
- //TODO: merge not replace if scheme is different from any existing
+
+ //TODO: merge not replace if scheme is different from any existing
//(needs to be aware of schemes to do so correctly)
- window.enabledScopes=scopes;
-
- for (var key in authSchemes) {
+ window.enabledScopes = scopes;
+
+ for (var key in authSchemes) {
if (authSchemes.hasOwnProperty(key) && OAuthSchemeKeys.indexOf(key) != -1) { //only look at keys that match this scope.
- var flow = authSchemes[key].flow;
+ var dets = authSchemes[key];
+ // RFC 6749 recommends to use state for Implicit and AccessCode Flows:
+ // state: An opaque value used by the client to maintain state between
+ // the request and callback. The authorization server includes
+ // this value when redirecting the user-agent back to the
+ // client. The parameter SHOULD be used for preventing
+ // cross-site request forgery as described in Section 10.12.
+ // We also use the state as a way to pass the authentication name to match it later.
+ state = key + '&' + Math.random();
- if(authSchemes[key].type === 'oauth2' && flow && (flow === 'implicit' || flow === 'accessCode')) {
- var dets = authSchemes[key];
- url = dets.authorizationUrl + '?response_type=' + (flow === 'implicit' ? 'token' : 'code');
+ if (authSchemes[key].type === 'oauth2' && dets.flow) {
window.swaggerUi.tokenName = dets.tokenName || 'access_token';
- window.swaggerUi.tokenUrl = (flow === 'accessCode' ? dets.tokenUrl : null);
- state = key;
+ window.swaggerUi.tokenUrl = (dets.flow !== 'implicit' ? dets.tokenUrl : null);
+
+ if (dets.flow === 'implicit' || dets.flow === 'accessCode') {
+ var authorizationUrl = dets.authorizationUrl + '?response_type=' + (dets.flow === 'implicit' ? 'token' : 'code');
+ handleImplicitOrAccessCodeFlow(authorizationUrl, scopes, redirectUrl, state);
+ }
+ else if (dets.flow === 'application') {
+ handleClientCredentialsFlow(scopes, key);
+ }
+ else if (dets.flow === 'password') {
+ handlePasswordFlow(scopes, key);
+ }
}
- else if(authSchemes[key].type === 'oauth2' && flow && (flow === 'application')) {
- var dets = authSchemes[key];
- window.swaggerUi.tokenName = dets.tokenName || 'access_token';
- clientCredentialsFlow(scopes, dets.tokenUrl, key);
- return;
- }
else if(authSchemes[key].grantTypes) {
// 1.2 support
var o = authSchemes[key].grantTypes;
+ var authorizationUrl;
for(var t in o) {
if(o.hasOwnProperty(t) && t === 'implicit') {
var dets = o[t];
var ep = dets.loginEndpoint.url;
- url = dets.loginEndpoint.url + '?response_type=token';
+ authorizationUrl = dets.loginEndpoint.url + '?response_type=token';
window.swaggerUi.tokenName = dets.tokenName;
}
else if (o.hasOwnProperty(t) && t === 'accessCode') {
var dets = o[t];
var ep = dets.tokenRequestEndpoint.url;
- url = dets.tokenRequestEndpoint.url + '?response_type=code';
+ authorizationUrl = dets.tokenRequestEndpoint.url + '?response_type=code';
window.swaggerUi.tokenName = dets.tokenName;
}
}
+ handleImplicitOrAccessCodeFlow(authorizationUrl, scopes, redirectUrl, state);
}
}
}
- redirect_uri = redirectUrl;
-
- url += '&redirect_uri=' + encodeURIComponent(redirectUrl);
- url += '&realm=' + encodeURIComponent(realm);
- url += '&client_id=' + encodeURIComponent(clientId);
- url += '&scope=' + encodeURIComponent(scopes.join(scopeSeparator));
- url += '&state=' + encodeURIComponent(state);
- for (var key in additionalQueryStringParams) {
- url += '&' + key + '=' + encodeURIComponent(additionalQueryStringParams[key]);
- }
-
- window.open(url);
});
popupMask.show();
@@ -180,7 +205,6 @@ function handleLogin() {
return;
}
-
function handleLogout() {
for(key in window.swaggerUi.api.clientAuthorizations.authz){
window.swaggerUi.api.clientAuthorizations.remove(key)
@@ -224,36 +248,74 @@ function initOAuth(opts) {
});
}
-function clientCredentialsFlow(scopes, tokenUrl, OAuthSchemeKey) {
- var params = {
- 'client_id': clientId,
- 'client_secret': clientSecret,
- 'scope': scopes.join(' '),
- 'grant_type': 'client_credentials'
- }
- $.ajax(
- {
- url : tokenUrl,
- type: "POST",
- data: params,
- success:function(data, textStatus, jqXHR)
- {
- onOAuthComplete(data,OAuthSchemeKey);
- },
- error: function(jqXHR, textStatus, errorThrown)
- {
- onOAuthComplete("");
- }
- });
-
+function handleImplicitOrAccessCodeFlow(authorizationUrl, scopes, redirectUrl, state) {
+ redirect_uri = redirectUrl;
+ authorizationUrl += (
+ '&redirect_uri=' + encodeURIComponent(redirectUrl) +
+ '&realm=' + encodeURIComponent(realm) +
+ '&client_id=' + encodeURIComponent(clientId) +
+ '&scope=' + encodeURIComponent(scopes.join(scopeSeparator)) +
+ '&state=' + encodeURIComponent(state)
+ );
+ for (var key in additionalQueryStringParams) {
+ authorizationUrl += '&' + key + '=' + encodeURIComponent(additionalQueryStringParams[key]);
}
+ window.open(authorizationUrl);
+}
+
+function handleClientCredentialsFlow(scopes, OAuthSchemeKey) {
+ var params = {
+ 'grant_type': 'client_credentials',
+ 'client_id': clientId,
+ 'client_secret': clientSecret,
+ 'scope': scopes.join(' ')
+ }
+ $.ajax(
+ {
+ url : window.swaggerUi.tokenUrl,
+ type: "POST",
+ data: params,
+ success:function(data, textStatus, jqXHR)
+ {
+ onOAuthComplete(data, OAuthSchemeKey);
+ },
+ error: function(jqXHR, textStatus, errorThrown)
+ {
+ onOAuthComplete("");
+ }
+ });
+}
+
+function handlePasswordFlow(scopes, OAuthSchemeKey) {
+ var authParams = {
+ 'grant_type': 'password',
+ 'client_id': encodeURIComponent(clientId),
+ 'client_secret': encodeURIComponent(clientSecret),
+ 'username': $('#username').val(),
+ 'password': encodeURIComponent($('#password').val()),
+ 'scope': scopes.join(' ')
+ };
+
+ $.ajax({
+ url: window.swaggerUi.tokenUrl,
+ type: 'POST',
+ data: authParams,
+ success: function (data) {
+ onOAuthComplete(data, OAuthSchemeKey);
+ },
+ error: function(data) {
+ onOAuthComplete("");
+ }
+ });
+}
+
window.processOAuthCode = function processOAuthCode(data) {
var OAuthSchemeKey = data.state;
var params = {
+ 'grant_type': 'authorization_code',
'client_id': clientId,
'code': data.code,
- 'grant_type': 'authorization_code',
'redirect_uri': redirect_uri
};
@@ -264,7 +326,7 @@ window.processOAuthCode = function processOAuthCode(data) {
$.ajax(
{
url : window.swaggerUi.tokenUrl,
- type: "POST",
+ type: 'POST',
data: params,
success:function(data, textStatus, jqXHR)
{
@@ -277,8 +339,8 @@ window.processOAuthCode = function processOAuthCode(data) {
});
};
-window.onOAuthComplete = function onOAuthComplete(token,OAuthSchemeKey) {
- if(token) {
+window.onOAuthComplete = function onOAuthComplete(token, OAuthSchemeKey) {
+ if (token) {
if(token.error) {
var checkbox = $('input[type=checkbox],.secured')
checkbox.each(function(pos){
@@ -287,14 +349,20 @@ window.onOAuthComplete = function onOAuthComplete(token,OAuthSchemeKey) {
alert(token.error);
}
else {
- var b = token[window.swaggerUi.tokenName];
- if (!OAuthSchemeKey){
- OAuthSchemeKey = token.state;
+ if (!OAuthSchemeKey) {
+ alert(1);
+ if (token.state !== state) {
+ alert("OAuth2 security error: State is different, possible CSRF attack.");
+ }
+ // Implicit and AccessCode Flows is expected to pass a
+ // 'OAuthSchemeKey&Math.random()' value
+ OAuthSchemeKey = token.state.replace(/^(.*)&/, '$1');
}
- if(b){
+ var b = token[window.swaggerUi.tokenName];
+ if (b) {
// if all roles are satisfied
var o = null;
- $.each($('.auth .api-ic .api_information_panel'), function(k, v) {
+ $.each($('.auth .api-ic .api_information_panel'), function(k, v) {
var children = v;
if(children && children.childNodes) {
var requiredScopes = [];