fix: Refresh tokens with a plus sign get corrupted before sending to token endpoint

manfredsteyer · manfredsteyer · commit 2204c5a30764 · 2021-07-16T19:03:59.000+02:00
diff --git a/projects/lib/src/interceptors/default-oauth.interceptor.ts b/projects/lib/src/interceptors/default-oauth.interceptor.ts
@@ -34,7 +34,7 @@ export class DefaultOAuthInterceptor implements HttpInterceptor {
 
     if (this.moduleConfig.resourceServer.allowedUrls) {
       return !!this.moduleConfig.resourceServer.allowedUrls.find(u =>
-        url.startsWith(u)
+        url.toLowerCase().startsWith(u.toLowerCase())
       );
     }
 
diff --git a/projects/lib/src/oauth-service.ts b/projects/lib/src/oauth-service.ts
@@ -911,7 +911,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     );
 
     return new Promise((resolve, reject) => {
-      let params = new HttpParams()
+      let params = new HttpParams({ encoder: new WebHttpUrlEncodingCodec() })
         .set('grant_type', 'refresh_token')
         .set('scope', this.scope)
         .set('refresh_token', this._storage.getItem('refresh_token'));
@@ -1644,7 +1644,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     if (grantedScopes && !Array.isArray(grantedScopes)) {
       this._storage.setItem(
         'granted_scopes',
-        JSON.stringify(grantedScopes.split('+'))
+        JSON.stringify(grantedScopes.split(' '))
       );
     } else if (grantedScopes && Array.isArray(grantedScopes)) {
       this._storage.setItem('granted_scopes', JSON.stringify(grantedScopes));
@@ -1717,7 +1717,11 @@ export class OAuthService extends AuthConfig implements OnDestroy {
           .replace(/session_state=[^&\$]*/, '')
           .replace(/^\?&/, '?')
           .replace(/&$/, '')
-          .replace(/^\?$/, '') + location.hash;
+          .replace(/^\?$/, '') 
+          .replace(/&+/g, '&')
+          .replace(/\?&/, '?')
+          .replace(/\?$/, '')
+          + location.hash;
 
       history.replaceState(null, window.name, href);
     }
@@ -1781,7 +1785,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     code: string,
     options: LoginOptions
   ): Promise<object> {
-    let params = new HttpParams()
+    let params = new HttpParams({ encoder: new WebHttpUrlEncodingCodec() })
       .set('grant_type', 'authorization_code')
       .set('code', code)
       .set('redirect_uri', options.customRedirectUri || this.redirectUri);
@@ -2352,7 +2356,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     if (this.getAccessToken()) {
       const expiresAt = this._storage.getItem('expires_at');
       const now = this.dateTimeService.new();
-      if (expiresAt && parseInt(expiresAt, 10) < now.getTime()) {
+      if (expiresAt && parseInt(expiresAt, 10) < now.getTime() + this.clockSkewInSec) {
         return false;
       }
 
@@ -2369,7 +2373,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     if (this.getIdToken()) {
       const expiresAt = this._storage.getItem('id_token_expires_at');
       const now = this.dateTimeService.new();
-      if (expiresAt && parseInt(expiresAt, 10) < now.getTime()) {
+      if (expiresAt && parseInt(expiresAt, 10) < now.getTime() + this.clockSkewInSec) {
         return false;
       }
 
@@ -2471,7 +2475,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
         .replace(/\{\{id_token\}\}/, encodeURIComponent(id_token))
         .replace(/\{\{client_id\}\}/, encodeURIComponent(this.clientId));
     } else {
-      let params = new HttpParams();
+      let params = new HttpParams({ encoder: new WebHttpUrlEncodingCodec() });
 
       if (id_token) {
         params = params.set('id_token_hint', id_token);
@@ -2709,7 +2713,7 @@ export class OAuthService extends AuthConfig implements OnDestroy {
       return;
     }
 
-    let params = new HttpParams();
+    let params = new HttpParams({ encoder: new WebHttpUrlEncodingCodec() });
 
     let headers = new HttpHeaders().set(
       'Content-Type',
diff --git a/projects/lib/src/public_api.ts b/projects/lib/src/public_api.ts
@@ -13,3 +13,4 @@ export * from './interceptors/default-oauth.interceptor';
 export * from './interceptors/resource-server-error-handler';
 export * from './oauth-module.config';
 export * from './date-time-provider';
+export * from './token-validation/hash-handler';
diff --git a/projects/sample/src/app/app.component.ts b/projects/sample/src/app/app.component.ts
@@ -28,6 +28,10 @@ export class AppComponent {
       .subscribe(_ => {
         console.debug('state', this.oauthService.state);
         this.oauthService.loadUserProfile();
+
+        const scopes = this.oauthService.getGrantedScopes();
+        console.debug('scopes', scopes);
+
       });
   }
 

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ export class DefaultOAuthInterceptor implements HttpInterceptor {`
`34`	`34`
`35`	`35`	`if (this.moduleConfig.resourceServer.allowedUrls) {`
`36`	`36`	`return !!this.moduleConfig.resourceServer.allowedUrls.find(u =>`
`37`		`- url.startsWith(u)`
	`37`	`+ url.toLowerCase().startsWith(u.toLowerCase())`
`38`	`38`	`);`
`39`	`39`	`}`
`40`	`40`