oauth3.js/oauth3.core.js

;(function (exports) {
  'use strict';

  // NOTE: we assume that directive.provider_uri exists

  var core = {};
  core.urls = core;

  function getDefaultAppApiBase() {
    console.warn('[deprecated] using window.location.host when opts.appApiBase should be used');
    return 'https://' + window.location.host;
  }

  core.parsescope = function (scope) {
    return (scope||'').split(/[+, ]/g);
  };
  core.stringifyscope = function (scope) {
    if (Array.isArray(scope)) {
      scope = scope.join(' ');
    }
    return scope;
  };

  core.querystringify = function (params) {
    var qs = [];

    Object.keys(params).forEach(function (key) {
      // TODO nullify instead?
      if ('undefined' === typeof params[key]) {
        return;
      }

      if ('scope' === key) {
        params[key] = core.stringifyscope(params[key]);
      }

      qs.push(encodeURIComponent(key) + '=' + encodeURIComponent(params[key]));
    });

    return qs.join('&');
  };

  // Modified from http://stackoverflow.com/a/7826782
  core.queryparse = function (search) {
    // parse a query or a hash
    if (-1 !== ['#', '?'].indexOf(search[0])) {
      search = search.substring(1);
    }
    // Solve for case of search within hash
    // example: #/authorization_dialog/?state=...&redirect_uri=...
    var queryIndex = search.indexOf('?');
    if (-1 !== queryIndex) {
      search = search.substr(queryIndex + 1);
    }

    var args = search.split('&');
    var argsParsed = {};
    var i, arg, kvp, key, value;

    for (i = 0; i < args.length; i += 1) {

        arg = args[i];

        if (-1 === arg.indexOf('=')) {

          argsParsed[decodeURIComponent(arg).trim()] = true;

        }
        else {

          kvp = arg.split('=');
          key = decodeURIComponent(kvp[0]).trim();
          value = decodeURIComponent(kvp[1]).trim();
          argsParsed[key] = value;

        }
    }

    return argsParsed;
  };

  core.formatError = function (providerUri, params) {
    var err = new Error(params.error_description || params.error.message || "Unknown error when discoving provider '" + providerUri + "'");
    err.uri = params.error_uri || params.error.uri;
    err.code = params.error.code || params.error;
    return err;
  };
  core.normalizePath = function (path) {
    return path.replace(/^\//, '').replace(/\/$/, '');
  };
  core.normalizeUri = function (providerUri) {
    // tested with
    //   example.com
    //   example.com/
    //   http://example.com
    //   https://example.com/
    return providerUri
      .replace(/^(https?:\/\/)?/i, '')
      .replace(/\/?$/, '')
      ;
  };
  core.normalizeUrl = function (providerUri) {
    // tested with
    //   example.com
    //   example.com/
    //   http://example.com
    //   https://example.com/
    return providerUri
      .replace(/^(https?:\/\/)?/i, 'https://')
      .replace(/\/?$/, '')
      ;
  };

  // these might not really belong in core... not sure
  // there should be node.js- and browser-specific versions probably
  core.utils = {
    urlSafeBase64ToBase64: function (b64) {
      // URL-safe Base64 to Base64
      // https://en.wikipedia.org/wiki/Base64
      // https://gist.github.com/catwell/3046205
      var mod = b64.length % 4;
      if (2 === mod) { b64 += '=='; }
      if (3 === mod) { b64 += '='; }
      b64 = b64.replace(/-/g, '+').replace(/_/g, '/');
      return b64;
    }
  , base64ToUrlSafeBase64: function (b64) {
      // Base64 to URL-safe Base64
      b64 = b64.replace(/\+/g, '-').replace(/\//g, '_');
      b64 = b64.replace(/=+/g, '');
      return b64;
    }
  , randomState: function () {
      var i;
      var ch;
      var str;

      // TODO put in different file for browser vs node
      try {
        return Array.prototype.slice.call(window.crypto.getRandomValues(new Uint8Array(16))).map(function (ch) { return (ch).toString(16); }).join('');
      } catch(e) {
        // TODO use fisher-yates on 0..255 and select [0] 16 times
        // [security] https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d#.5qx0bf95a
        // https://github.com/v8/v8/blob/b0e4dce6091a8777bda80d962df76525dc6c5ea9/src/js/math.js#L135-L144
        // Note: newer versions of v8 do not have this bug, but other engines may still
        console.warn('[security] crypto.getRandomValues() failed, falling back to Math.random()');
        str = '';
        for (i = 0; i < 32; i += 1) {
          ch = Math.round(Math.random() * 255).toString(16);
          if (ch.length < 2) { ch = '0' + ch; }
          str += ch;
        }
        return str;
      }
    }
  };
  core.jwt = {
    // decode only (no verification)
    decode: function (str) {

      // 'abc.qrs.xyz'
      // [ 'abc', 'qrs', 'xyz' ]
      // [ {}, {}, 'foo' ]
      // { header: {}, payload: {}, signature: }
      var parts = str.split(/\./g);
      var jsons = parts.slice(0, 2).map(function (urlsafe64) {
        var atob = exports.atob || require('atob');
        var b64 = core.utils.urlSafeBase64ToBase64(urlsafe64);
        return atob(b64);
      });

      return {
        header: JSON.parse(jsons[0])
      , payload: JSON.parse(jsons[1])
      , signature: parts[2] // should remain url-safe base64
      };
    }
  , getFreshness: function (tokenMeta, staletime, now) {
      staletime = staletime || (15 * 60);
      now = now || Date.now();
      var fresh = ((parseInt(tokenMeta.exp, 10) || 0) - Math.round(now / 1000));

      if (fresh >= staletime) {
        return 'fresh';
      }

      if (fresh <= 0) {
        return 'expired';
      }

      return 'stale';
    }
    // encode-only (no signature)
  , encode: function (parts) {
      parts.header = parts.header || { alg: 'none', typ: 'jwt' };
      parts.signature = parts.signature || '';

      var btoa = exports.btoa || require('btoa');
      var result = [
        core.utils.base64ToUrlSafeBase64(btoa(JSON.stringify(parts.header, null)))
      , core.utils.base64ToUrlSafeBase64(btoa(JSON.stringify(parts.payload, null)))
      , parts.signature // should already be url-safe base64
      ].join('.');

      return result;
    }
  };

  core.urls.discover = function (providerUri, opts) {
    if (!providerUri) {
      throw new Error("cannot discover without providerUri");
    }
    if (!opts.client_id) {
      throw new Error("cannot discover without options.client_id");
    }
    var clientId = core.normalizeUrl(opts.client_id || opts.client_uri);
    providerUri = core.normalizeUrl(providerUri);

    var params = {
      action: 'directives'
    , state: core.utils.randomState()
    , redirect_uri: clientId + (opts.client_callback_path || '/.well-known/oauth3/callback.html')
    , response_type: 'rpc'
    , _method: 'GET'
    , _pathname: '.well-known/oauth3/directives.json'
    , debug: opts.debug || undefined
    };

    var result = {
      url: providerUri + '/.well-known/oauth3/#/?' + core.querystringify(params)
    , state: params.state
    , method: 'GET'
    , query: params
    };

    return result;
  };
  core.urls.authorizationCode = function (/*directive, scope, redirectUri, clientId*/) {
    //
    // Example Authorization Code Request
    // (not for use in the browser)
    //
    // GET https://example.com/api/org.oauth3.provider/authorization_dialog
    //  ?response_type=code
    //  &scope=`encodeURIComponent('profile.login profile.email')`
    //  &state=`cryptoutil.random().toString('hex')`
    //  &client_id=xxxxxxxxxxx
    //  &redirect_uri=`encodeURIComponent('https://myapp.com/oauth3.html')`
    //
    // NOTE: `redirect_uri` itself may also contain URI-encoded components
    //
    // NOTE: This probably shouldn't be done in the browser because the server
    //   needs to initiate the state. If it is done in a browser, the browser
    //   should probably request 'state' from the server beforehand
    //

    throw new Error("not implemented");
  };

  core.urls.authorizationRedirect = function (directive, opts) {
    //console.log('[authorizationRedirect]');
    //
    // Example Authorization Redirect - from Browser to Consumer API
    // (for generating a session securely on your own server)
    //
    // i.e. GET https://<<CONSUMER>>.com/api/org.oauth3.consumer/authorization_redirect/<<PROVIDER>>.com
    //
    // GET https://myapp.com/api/org.oauth3.consumer/authorization_redirect/`encodeURIComponent('example.com')`
    //  &scope=`encodeURIComponent('profile.login profile.email')`
    //
    // (optional)
    //  &state=`cryptoutil.random().toString('hex')`
    //  &redirect_uri=`encodeURIComponent('https://myapp.com/oauth3.html')`
    //
    // NOTE: This is not a request sent to the provider, but rather a request sent to the
    // consumer (your own API) which then sets some state and redirects.
    // This will initiate the `authorization_code` request on your server
    //
    opts = opts || {};

    var scope = opts.scope || directive.authn_scope;
    var providerUri = directive.provider_uri;
    var params = {
      state: core.utils.randomState()
    , debug: opts.debug || undefined
    };
    var slimProviderUri = encodeURIComponent(providerUri.replace(/^(https?|spdy):\/\//, ''));
    var authorizationRedirect = opts.authorizationRedirect;

    if (scope) {
      params.scope = scope;
    }
    if (opts.redirectUri) {
      // this is really only for debugging
      params.redirect_uri = opts.redirectUri;
    }
    // Note: the type check is necessary because we allow 'true'
    // as an automatic mechanism when it isn't necessary to specify
    if ('string' !== typeof authorizationRedirect) {
      // TODO oauth3.json for self?
      authorizationRedirect = (opts.appApiBase || getDefaultAppApiBase())
        + '/api/org.oauth3.consumer/authorization_redirect/:provider_uri';
    }
    authorizationRedirect = authorizationRedirect
      .replace(/!(provider_uri)/, slimProviderUri)
      .replace(/:provider_uri/, slimProviderUri)
      .replace(/#{provider_uri}/, slimProviderUri)
      .replace(/{{provider_uri}}/, slimProviderUri)
      ;

    return {
      url: authorizationRedirect + '?' + core.querystringify(params)
    , method: 'GET'
    , state: params.state    // this becomes browser_state
    , params: params  // includes scope, final redirect_uri?
    };
  };

  core.urls.implicitGrant = function (directive, opts) {
    //console.log('[implicitGrant]');
    //
    // Example Implicit Grant Request
    // (for generating a browser-only session, not a session on your server)
    //
    // GET https://example.com/api/org.oauth3.provider/authorization_dialog
    //  ?response_type=token
    //  &scope=`encodeURIComponent('profile.login profile.email')`
    //  &state=`cryptoutil.random().toString('hex')`
    //  &client_id=xxxxxxxxxxx
    //  &redirect_uri=`encodeURIComponent('https://myapp.com/oauth3.html')`
    //
    // NOTE: `redirect_uri` itself may also contain URI-encoded components
    //

    opts = opts || {};
    var type = 'authorization_dialog';
    var responseType = 'token';

    var redirectUri = opts.redirect_uri;
    var scope = opts.scope || directive.authn_scope;
    var args = directive[type];
    var uri = args.url;
    var state = core.utils.randomState();
    var params = {
      debug: opts.debug || undefined
    , client_uri: opts.client_uri || opts.clientUri || undefined
    , client_id: opts.client_id || opts.client_uri || undefined
    };
    var result;

    params.state = state;
    params.response_type = responseType;
    if (scope) {
      params.scope = core.stringifyscope(scope);
    }
    if (!redirectUri) {
      // TODO consider making this optional
      console.error('missing redirect_uri');
    }
    params.redirect_uri = redirectUri;

    uri += '?' + core.querystringify(params);

    result = {
      url: uri
    , state: state
    , method: args.method
    , query: params
    };

    return result;
  };

  core.urls.resolve = function (base, next) {
    if (/^https:\/\//i.test(next)) {
      return next;
    }
    return core.normalizeUrl(base) + '/' + core.normalizePath(next);
  };

  core.urls.refreshToken = function (directive, opts) {
    // grant_type=refresh_token

    // Example Refresh Token Request
    // (generally for 1st or 3rd party server-side, mobile, and desktop apps)
    //
    // POST https://example.com/api/oauth3/access_token
    //    { "grant_type": "refresh_token", "client_id": "<<id>>", "scope": "<<scope>>"
    //    , "username": "<<username>>", "password": "password" }
    //
    opts = opts || {};
    var type = 'access_token';
    var grantType = 'refresh_token';

    var scope = opts.scope || directive.authn_scope;
    var clientSecret = opts.appSecret || opts.clientSecret;
    var args = directive[type];
    var params = {
      "grant_type": grantType
    , "refresh_token": opts.refresh_token || opts.refreshToken || (opts.session && opts.session.refresh_token)
    , "response_type": 'token'
    , "client_id": opts.appId || opts.app_id || opts.client_id || opts.clientId || opts.client_id || opts.clientId
    , "client_uri": opts.client_uri || opts.clientUri
    //, "scope": undefined
    //, "client_secret": undefined
    , debug: opts.debug || undefined
    };
    var uri = args.url;
    var body;

    // TODO not allowed in the browser
    if (clientSecret) {
      params.client_secret = clientSecret;
    }

    if (scope) {
      params.scope = core.stringifyscope(scope);
    }

    if ('GET' === args.method.toUpperCase()) {
      uri += '?' + core.querystringify(params);
    } else {
      body = params;
    }

    return {
      url: uri
    , method: args.method
    , data: body
    };
  };

  core.urls.logout = function (directive, opts) {
    opts = opts || {};
    var type = 'logout';
    var clientId = opts.appId || opts.clientId || opts.client_id;
    var args = directive[type];
    var params = {
      client_id: opts.clientUri || opts.client_uri
    , debug: opts.debug || undefined
    };
    var uri = args.url;
    var body;

    if (opts.clientUri) {
      params.client_uri = opts.clientUri;
    }

    if (clientId) {
      params.client_id = clientId;
    }

    args.method = (args.method || 'GET').toUpperCase();
    if ('GET' === args.method) {
      uri += '?' + core.querystringify(params);
    } else {
      body = params;
    }

    return {
      url: uri
    , method: args.method || 'GET'
    , data: body
    };
  };

  exports.OAUTH3 = exports.OAUTH3 || { core: core };
  exports.OAUTH3_CORE = core.OAUTH3_CORE = core;

  if ('undefined' !== typeof module) {
    module.exports = core;
  }
}('undefined' !== typeof exports ? exports : window));
refactor browser-only code 2017-02-08 00:48:07 -05:00			`;(function (exports) {`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`'use strict';`

			`// NOTE: we assume that directive.provider_uri exists`

			`var core = {};`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`core.urls = core;`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00
move to towards discrete xd callbacks 2017-01-31 19:12:31 -07:00			`function getDefaultAppApiBase() {`
			`console.warn('[deprecated] using window.location.host when opts.appApiBase should be used');`
			`return 'https://' + window.location.host;`
			`}`

Freaking Works! 2017-02-10 21:34:00 -05:00			`core.parsescope = function (scope) {`
			`return (scope\|\|'').split(/[+, ]/g);`
			`};`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`core.stringifyscope = function (scope) {`
			`if (Array.isArray(scope)) {`
			`scope = scope.join(' ');`
			`}`
			`return scope;`
			`};`

			`core.querystringify = function (params) {`
			`var qs = [];`

			`Object.keys(params).forEach(function (key) {`
ignore 'undefined' rather than stringify 2017-01-18 16:24:30 -05:00			`// TODO nullify instead?`
			`if ('undefined' === typeof params[key]) {`
			`return;`
			`}`

move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`if ('scope' === key) {`
			`params[key] = core.stringifyscope(params[key]);`
			`}`
ignore 'undefined' rather than stringify 2017-01-18 16:24:30 -05:00
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`qs.push(encodeURIComponent(key) + '=' + encodeURIComponent(params[key]));`
			`});`

			`return qs.join('&');`
			`};`

add queryparse 2017-01-23 12:51:34 -07:00			`// Modified from http://stackoverflow.com/a/7826782`
			`core.queryparse = function (search) {`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`// parse a query or a hash`
			`if (-1 !== ['#', '?'].indexOf(search[0])) {`
			`search = search.substring(1);`
			`}`
handle nested search in hash and discover as index.html 2017-02-06 14:41:25 -07:00			`// Solve for case of search within hash`
			`// example: #/authorization_dialog/?state=...&redirect_uri=...`
			`var queryIndex = search.indexOf('?');`
			`if (-1 !== queryIndex) {`
			`search = search.substr(queryIndex + 1);`
			`}`
add queryparse 2017-01-23 12:51:34 -07:00
			`var args = search.split('&');`
			`var argsParsed = {};`
			`var i, arg, kvp, key, value;`

			`for (i = 0; i < args.length; i += 1) {`

			`arg = args[i];`

			`if (-1 === arg.indexOf('=')) {`

add unsecured jwt 2017-01-24 13:10:16 -07:00			`argsParsed[decodeURIComponent(arg).trim()] = true;`
add queryparse 2017-01-23 12:51:34 -07:00
			`}`
			`else {`

add unsecured jwt 2017-01-24 13:10:16 -07:00			`kvp = arg.split('=');`
			`key = decodeURIComponent(kvp[0]).trim();`
			`value = decodeURIComponent(kvp[1]).trim();`
			`argsParsed[key] = value;`
add queryparse 2017-01-23 12:51:34 -07:00
			`}`
			`}`

			`return argsParsed;`
			`};`

refactor browser-only code 2017-02-08 00:48:07 -05:00			`core.formatError = function (providerUri, params) {`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`var err = new Error(params.error_description \|\| params.error.message \|\| "Unknown error when discoving provider '" + providerUri + "'");`
			`err.uri = params.error_uri \|\| params.error.uri;`
			`err.code = params.error.code \|\| params.error;`
refactor browser-only code 2017-02-08 00:48:07 -05:00			`return err;`
			`};`
WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00			`core.normalizePath = function (path) {`
			`return path.replace(/^\//, '').replace(/\/$/, '');`
			`};`
refactor browser-only code 2017-02-08 00:48:07 -05:00			`core.normalizeUri = function (providerUri) {`
			`// tested with`
			`// example.com`
			`// example.com/`
			`// http://example.com`
			`// https://example.com/`
			`return providerUri`
			`.replace(/^(https?:\/\/)?/i, '')`
			`.replace(/\/?$/, '')`
			`;`
			`};`
			`core.normalizeUrl = function (providerUri) {`
			`// tested with`
			`// example.com`
			`// example.com/`
			`// http://example.com`
			`// https://example.com/`
			`return providerUri`
			`.replace(/^(https?:\/\/)?/i, 'https://')`
			`.replace(/\/?$/, '')`
			`;`
			`};`

fix url-safe base64 jwt encoding 2017-01-24 13:16:21 -07:00			`// these might not really belong in core... not sure`
			`// there should be node.js- and browser-specific versions probably`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`core.utils = {`
			`urlSafeBase64ToBase64: function (b64) {`
			`// URL-safe Base64 to Base64`
fix urlsafeBase64 to base64 2017-02-07 18:31:05 -05:00			`// https://en.wikipedia.org/wiki/Base64`
			`// https://gist.github.com/catwell/3046205`
			`var mod = b64.length % 4;`
			`if (2 === mod) { b64 += '=='; }`
			`if (3 === mod) { b64 += '='; }`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`b64 = b64.replace(/-/g, '+').replace(/_/g, '/');`
			`return b64;`
			`}`
			`, base64ToUrlSafeBase64: function (b64) {`
			`// Base64 to URL-safe Base64`
			`b64 = b64.replace(/\+/g, '-').replace(/\//g, '_');`
			`b64 = b64.replace(/=+/g, '');`
			`return b64;`
			`}`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			`, randomState: function () {`
			`var i;`
			`var ch;`
			`var str;`

			`// TODO put in different file for browser vs node`
			`try {`
			`return Array.prototype.slice.call(window.crypto.getRandomValues(new Uint8Array(16))).map(function (ch) { return (ch).toString(16); }).join('');`
			`} catch(e) {`
			`// TODO use fisher-yates on 0..255 and select [0] 16 times`
			`// [security] https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d#.5qx0bf95a`
			`// https://github.com/v8/v8/blob/b0e4dce6091a8777bda80d962df76525dc6c5ea9/src/js/math.js#L135-L144`
			`// Note: newer versions of v8 do not have this bug, but other engines may still`
			`console.warn('[security] crypto.getRandomValues() failed, falling back to Math.random()');`
			`str = '';`
			`for (i = 0; i < 32; i += 1) {`
			`ch = Math.round(Math.random() * 255).toString(16);`
			`if (ch.length < 2) { ch = '0' + ch; }`
			`str += ch;`
			`}`
			`return str;`
			`}`
			`}`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`};`
			`core.jwt = {`
			`// decode only (no verification)`
			`decode: function (str) {`

			`// 'abc.qrs.xyz'`
			`// [ 'abc', 'qrs', 'xyz' ]`
			`// [ {}, {}, 'foo' ]`
			`// { header: {}, payload: {}, signature: }`
			`var parts = str.split(/\./g);`
fix urlsafeBase64 to base64 2017-02-07 18:31:05 -05:00			`var jsons = parts.slice(0, 2).map(function (urlsafe64) {`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`var atob = exports.atob \|\| require('atob');`
fix urlsafeBase64 to base64 2017-02-07 18:31:05 -05:00			`var b64 = core.utils.urlSafeBase64ToBase64(urlsafe64);`
			`return atob(b64);`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`});`

			`return {`
			`header: JSON.parse(jsons[0])`
			`, payload: JSON.parse(jsons[1])`
fix url-safe base64 jwt encoding 2017-01-24 13:16:21 -07:00			`, signature: parts[2] // should remain url-safe base64`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`};`
			`}`
.meta -> .token 2017-02-13 12:46:12 -05:00			`, getFreshness: function (tokenMeta, staletime, now) {`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`staletime = staletime \|\| (15 * 60);`
			`now = now \|\| Date.now();`
.meta -> .token 2017-02-13 12:46:12 -05:00			`var fresh = ((parseInt(tokenMeta.exp, 10) \|\| 0) - Math.round(now / 1000));`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00
			`if (fresh >= staletime) {`
			`return 'fresh';`
			`}`

			`if (fresh <= 0) {`
			`return 'expired';`
			`}`

			`return 'stale';`
			`}`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`// encode-only (no signature)`
			`, encode: function (parts) {`
			`parts.header = parts.header \|\| { alg: 'none', typ: 'jwt' };`
			`parts.signature = parts.signature \|\| '';`
fix url-safe base64 jwt encoding 2017-01-24 13:16:21 -07:00
			`var btoa = exports.btoa \|\| require('btoa');`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`var result = [`
fix url-safe base64 jwt encoding 2017-01-24 13:16:21 -07:00			`core.utils.base64ToUrlSafeBase64(btoa(JSON.stringify(parts.header, null)))`
			`, core.utils.base64ToUrlSafeBase64(btoa(JSON.stringify(parts.payload, null)))`
			`, parts.signature // should already be url-safe base64`
add unsecured jwt 2017-01-24 13:10:16 -07:00			`].join('.');`

			`return result;`
			`}`
			`};`

WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00			`core.urls.discover = function (providerUri, opts) {`
			`if (!providerUri) {`
			`throw new Error("cannot discover without providerUri");`
			`}`
bugfixes 2017-02-10 20:23:57 -07:00			`if (!opts.client_id) {`
			`throw new Error("cannot discover without options.client_id");`
WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00			`}`
don't redirect attack your client, duh! 2017-02-10 23:45:34 -05:00			`var clientId = core.normalizeUrl(opts.client_id \|\| opts.client_uri);`
			`providerUri = core.normalizeUrl(providerUri);`
WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00
			`var params = {`
			`action: 'directives'`
			`, state: core.utils.randomState()`
don't redirect attack your client, duh! 2017-02-10 23:45:34 -05:00			`, redirect_uri: clientId + (opts.client_callback_path \|\| '/.well-known/oauth3/callback.html')`
WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00			`, response_type: 'rpc'`
			`, _method: 'GET'`
			`, _pathname: '.well-known/oauth3/directives.json'`
			`, debug: opts.debug \|\| undefined`
			`};`

			`var result = {`
			`url: providerUri + '/.well-known/oauth3/#/?' + core.querystringify(params)`
			`, state: params.state`
			`, method: 'GET'`
			`, query: params`
			`};`

			`return result;`
			`};`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`core.urls.authorizationCode = function (/directive, scope, redirectUri, clientId/) {`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`//`
			`// Example Authorization Code Request`
			`// (not for use in the browser)`
			`//`
			`// GET https://example.com/api/org.oauth3.provider/authorization_dialog`
			`// ?response_type=code`
			// &scope=`encodeURIComponent('profile.login profile.email')`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			// &state=`cryptoutil.random().toString('hex')`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`// &client_id=xxxxxxxxxxx`
			// &redirect_uri=`encodeURIComponent('https://myapp.com/oauth3.html')`
			`//`
			// NOTE: `redirect_uri` itself may also contain URI-encoded components
			`//`
			`// NOTE: This probably shouldn't be done in the browser because the server`
			`// needs to initiate the state. If it is done in a browser, the browser`
			`// should probably request 'state' from the server beforehand`
			`//`

			`throw new Error("not implemented");`
			`};`

WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`core.urls.authorizationRedirect = function (directive, opts) {`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`//console.log('[authorizationRedirect]');`
			`//`
			`// Example Authorization Redirect - from Browser to Consumer API`
			`// (for generating a session securely on your own server)`
			`//`
			`// i.e. GET https://<<CONSUMER>>.com/api/org.oauth3.consumer/authorization_redirect/<<PROVIDER>>.com`
			`//`
			// GET https://myapp.com/api/org.oauth3.consumer/authorization_redirect/`encodeURIComponent('example.com')`
			// &scope=`encodeURIComponent('profile.login profile.email')`
			`//`
			`// (optional)`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			// &state=`cryptoutil.random().toString('hex')`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			// &redirect_uri=`encodeURIComponent('https://myapp.com/oauth3.html')`
			`//`
			`// NOTE: This is not a request sent to the provider, but rather a request sent to the`
			`// consumer (your own API) which then sets some state and redirects.`
			// This will initiate the `authorization_code` request on your server
			`//`
			`opts = opts \|\| {};`

			`var scope = opts.scope \|\| directive.authn_scope;`
			`var providerUri = directive.provider_uri;`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			`var params = {`
			`state: core.utils.randomState()`
			`, debug: opts.debug \|\| undefined`
			`};`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`var slimProviderUri = encodeURIComponent(providerUri.replace(/^(https?\|spdy):\/\//, ''));`
update url gens 2017-02-07 12:23:30 -05:00			`var authorizationRedirect = opts.authorizationRedirect;`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00
			`if (scope) {`
			`params.scope = scope;`
			`}`
			`if (opts.redirectUri) {`
			`// this is really only for debugging`
			`params.redirect_uri = opts.redirectUri;`
			`}`
			`// Note: the type check is necessary because we allow 'true'`
			`// as an automatic mechanism when it isn't necessary to specify`
			`if ('string' !== typeof authorizationRedirect) {`
			`// TODO oauth3.json for self?`
move to towards discrete xd callbacks 2017-01-31 19:12:31 -07:00			`authorizationRedirect = (opts.appApiBase \|\| getDefaultAppApiBase())`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`+ '/api/org.oauth3.consumer/authorization_redirect/:provider_uri';`
			`}`
			`authorizationRedirect = authorizationRedirect`
			`.replace(/!(provider_uri)/, slimProviderUri)`
			`.replace(/:provider_uri/, slimProviderUri)`
			`.replace(/#{provider_uri}/, slimProviderUri)`
			`.replace(/{{provider_uri}}/, slimProviderUri)`
			`;`

			`return {`
			`url: authorizationRedirect + '?' + core.querystringify(params)`
			`, method: 'GET'`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			`, state: params.state // this becomes browser_state`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`, params: params // includes scope, final redirect_uri?`
			`};`
			`};`

WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`core.urls.implicitGrant = function (directive, opts) {`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`//console.log('[implicitGrant]');`
			`//`
			`// Example Implicit Grant Request`
			`// (for generating a browser-only session, not a session on your server)`
			`//`
			`// GET https://example.com/api/org.oauth3.provider/authorization_dialog`
			`// ?response_type=token`
			// &scope=`encodeURIComponent('profile.login profile.email')`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			// &state=`cryptoutil.random().toString('hex')`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`// &client_id=xxxxxxxxxxx`
			// &redirect_uri=`encodeURIComponent('https://myapp.com/oauth3.html')`
			`//`
			// NOTE: `redirect_uri` itself may also contain URI-encoded components
			`//`

			`opts = opts \|\| {};`
			`var type = 'authorization_dialog';`
			`var responseType = 'token';`

bugfix 2017-02-10 22:23:21 -05:00			`var redirectUri = opts.redirect_uri;`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`var scope = opts.scope \|\| directive.authn_scope;`
			`var args = directive[type];`
			`var uri = args.url;`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			`var state = core.utils.randomState();`
			`var params = {`
			`debug: opts.debug \|\| undefined`
fix client_uri in authorization_dialog 2017-02-07 19:24:44 -07:00			`, client_uri: opts.client_uri \|\| opts.clientUri \|\| undefined`
bugfix 2017-02-10 22:23:21 -05:00			`, client_id: opts.client_id \|\| opts.client_uri \|\| undefined`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			`};`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`var result;`

			`params.state = state;`
			`params.response_type = responseType;`
			`if (scope) {`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`params.scope = core.stringifyscope(scope);`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`}`
			`if (!redirectUri) {`
bugfix 2017-02-10 22:23:21 -05:00			`// TODO consider making this optional`
			`console.error('missing redirect_uri');`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`}`
			`params.redirect_uri = redirectUri;`

			`uri += '?' + core.querystringify(params);`

			`result = {`
			`url: uri`
			`, state: state`
			`, method: args.method`
			`, query: params`
			`};`

			`return result;`
			`};`

WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00			`core.urls.resolve = function (base, next) {`
			`if (/^https:\/\//i.test(next)) {`
			`return next;`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`}`
WIP provider separation, grant flow 2017-02-09 21:51:22 -05:00			`return core.normalizeUrl(base) + '/' + core.normalizePath(next);`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`};`

WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`core.urls.refreshToken = function (directive, opts) {`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`// grant_type=refresh_token`

			`// Example Refresh Token Request`
			`// (generally for 1st or 3rd party server-side, mobile, and desktop apps)`
			`//`
			`// POST https://example.com/api/oauth3/access_token`
			`// { "grant_type": "refresh_token", "client_id": "<<id>>", "scope": "<<scope>>"`
			`// , "username": "<<username>>", "password": "password" }`
			`//`
			`opts = opts \|\| {};`
			`var type = 'access_token';`
			`var grantType = 'refresh_token';`

			`var scope = opts.scope \|\| directive.authn_scope;`
			`var clientSecret = opts.appSecret \|\| opts.clientSecret;`
			`var args = directive[type];`
			`var params = {`
			`"grant_type": grantType`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`, "refresh_token": opts.refresh_token \|\| opts.refreshToken \|\| (opts.session && opts.session.refresh_token)`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`, "response_type": 'token'`
WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`, "client_id": opts.appId \|\| opts.app_id \|\| opts.client_id \|\| opts.clientId \|\| opts.client_id \|\| opts.clientId`
			`, "client_uri": opts.client_uri \|\| opts.clientUri`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`//, "scope": undefined`
			`//, "client_secret": undefined`
secure state, api fix for discover(), url trailing slash fix 2017-02-06 13:26:46 -07:00			`, debug: opts.debug \|\| undefined`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`};`
			`var uri = args.url;`
			`var body;`

WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`// TODO not allowed in the browser`
add refreshToken, cleanup scopestringify 2017-01-19 01:08:07 +00:00			`if (clientSecret) {`
			`params.client_secret = clientSecret;`
			`}`

			`if (scope) {`
			`params.scope = core.stringifyscope(scope);`
move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`}`

			`if ('GET' === args.method.toUpperCase()) {`
			`uri += '?' + core.querystringify(params);`
			`} else {`
			`body = params;`
			`}`

			`return {`
			`url: uri`
			`, method: args.method`
			`, data: body`
			`};`
			`};`

WIP refactor (refreshToken works) 2017-02-08 04:18:15 -05:00			`core.urls.logout = function (directive, opts) {`
refactor browser-only code 2017-02-08 00:48:07 -05:00			`opts = opts \|\| {};`
			`var type = 'logout';`
			`var clientId = opts.appId \|\| opts.clientId \|\| opts.client_id;`
			`var args = directive[type];`
			`var params = {`
			`client_id: opts.clientUri \|\| opts.client_uri`
			`, debug: opts.debug \|\| undefined`
			`};`
			`var uri = args.url;`
			`var body;`

			`if (opts.clientUri) {`
			`params.client_uri = opts.clientUri;`
			`}`

			`if (clientId) {`
			`params.client_id = clientId;`
			`}`

			`args.method = (args.method \|\| 'GET').toUpperCase();`
			`if ('GET' === args.method) {`
			`uri += '?' + core.querystringify(params);`
			`} else {`
			`body = params;`
			`}`

			`return {`
			`url: uri`
			`, method: args.method \|\| 'GET'`
			`, data: body`
			`};`
			`};`

move core utils and url gens to own file 2017-01-17 22:29:46 -05:00			`exports.OAUTH3 = exports.OAUTH3 \|\| { core: core };`
			`exports.OAUTH3_CORE = core.OAUTH3_CORE = core;`

			`if ('undefined' !== typeof module) {`
			`module.exports = core;`
			`}`
			`}('undefined' !== typeof exports ? exports : window));`