feat(auth): refresh access token request using body params (#890)

* feat(auth): refresh access token request using body params

When refreshing authorization access token, send the end point
parameters via body instead of URL.

This prevents intermediate proxies or logs to accidentally (or not)
expose secret values.

Fix #813

[docs]: https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token

Author: bpinto

generator/typescript/index.d.tstemplate

@@ -22,6 +22,8 @@ export interface DropboxAuthOptions {
   domainDelimiter?: string;
   // An object (in the form of header: value) designed to set custom headers to use during a request.
   customHeaders?: object;
+  // Whether request data is sent on body or as URL params. Defaults to false.
+  dataOnBody?: boolean;
 }
 
 export class DropboxAuth {

src/auth.js

@@ -55,6 +55,8 @@ const IncludeGrantedScopes = ['none', 'user', 'team'];
  * subdomain. This should only be used for testing as scaffolding.
  * @arg {Object} [options.customHeaders] - An object (in the form of header: value) designed to set
  * custom headers to use during a request.
+ * @arg {Boolean} [options.dataOnBody] - Whether request data is sent on body or as URL params.
+  * Defaults to false.
 */
 export default class DropboxAuth {
   constructor(options) {
@@ -70,6 +72,7 @@ export default class DropboxAuth {
     this.domain = options.domain;
     this.domainDelimiter = options.domainDelimiter;
     this.customHeaders = options.customHeaders;
+    this.dataOnBody = options.dataOnBody;
   }
 
   /**
@@ -349,7 +352,6 @@ export default class DropboxAuth {
      * @returns {Promise<*>}
      */
   refreshAccessToken(scope = null) {
-    let refreshUrl = OAuth2TokenUrl(this.domain, this.domainDelimiter);
     const clientId = this.getClientId();
     const clientSecret = this.getClientSecret();
 
@@ -360,21 +362,33 @@ export default class DropboxAuth {
       throw new Error('Scope must be an array of strings');
     }
 
-    const headers = {};
-    headers['Content-Type'] = 'application/json';
-    refreshUrl += `?grant_type=refresh_token&refresh_token=${this.getRefreshToken()}`;
-    refreshUrl += `&client_id=${clientId}`;
-    if (clientSecret) {
-      refreshUrl += `&client_secret=${clientSecret}`;
-    }
-    if (scope) {
-      refreshUrl += `&scope=${scope.join(' ')}`;
-    }
+    let refreshUrl = OAuth2TokenUrl(this.domain, this.domainDelimiter);
     const fetchOptions = {
+      headers: { 'Content-Type': 'application/json' },
       method: 'POST',
     };
 
-    fetchOptions.headers = headers;
+    if (this.dataOnBody) {
+      const body = { grant_type: 'refresh_token', client_id: clientId, refresh_token: this.getRefreshToken() };
+
+      if (clientSecret) {
+        body.client_secret = clientSecret;
+      }
+      if (scope) {
+        body.scope = scope.join(' ');
+      }
+
+      fetchOptions.body = body;
+    } else {
+      refreshUrl += `?grant_type=refresh_token&refresh_token=${this.getRefreshToken()}`;
+      refreshUrl += `&client_id=${clientId}`;
+      if (clientSecret) {
+        refreshUrl += `&client_secret=${clientSecret}`;
+      }
+      if (scope) {
+        refreshUrl += `&scope=${scope.join(' ')}`;
+      }
+    }
 
     return this.fetch(refreshUrl, fetchOptions)
       .then((res) => parseResponse(res))

test/unit/auth.js

@@ -160,6 +160,18 @@ describe('DropboxAuth', () => {
     });
   });
 
+  describe('dataOnBody', () => {
+    it('can be set in the constructor', () => {
+      const dbx = new DropboxAuth({ dataOnBody: true });
+      chai.assert.equal(dbx.dataOnBody, true);
+    });
+
+    it('is undefined if not set in constructor', () => {
+      const dbx = new DropboxAuth();
+      chai.assert.equal(dbx.dataOnBody, undefined);
+    });
+  });
+
   describe('refreshToken', () => {
     it('can be set in the constructor', () => {
       const dbxAuth = new DropboxAuth({ refreshToken: 'foo' });
@@ -366,9 +378,7 @@ describe('DropboxAuth', () => {
       );
     });
 
-    const testRefreshUrl = 'https://api.dropboxapi.com/oauth2/token?grant_type=refresh_token&refresh_token=undefined&client_id=foo&client_secret=bar';
-
-    it('sets the correct refresh url (no scope passed)', () => {
+    it('sets request content type to json', () => {
       const dbxAuth = new DropboxAuth({
         clientId: 'foo',
         clientSecret: 'bar',
@@ -377,26 +387,97 @@ describe('DropboxAuth', () => {
       const fetchSpy = sinon.spy(dbxAuth, 'fetch');
       dbxAuth.refreshAccessToken();
       chai.assert.isTrue(fetchSpy.calledOnce);
-      const refreshUrl = dbxAuth.fetch.getCall(0).args[0];
+
       const { headers } = dbxAuth.fetch.getCall(0).args[1];
-      chai.assert.equal(refreshUrl, testRefreshUrl);
       chai.assert.equal(headers['Content-Type'], 'application/json');
     });
 
-    it('sets the correct refresh url (scope passed)', () => {
-      const dbxAuth = new DropboxAuth({
-        clientId: 'foo',
-        clientSecret: 'bar',
+    describe('when dataOnBody flag is enabled', () => {
+      const dataOnBody = true;
+
+      it('does the request without URL parameters', () => {
+        const dbxAuth = new DropboxAuth({
+          clientId: 'foo',
+          clientSecret: 'bar',
+          dataOnBody,
+        });
+
+        const fetchSpy = sinon.spy(dbxAuth, 'fetch');
+        dbxAuth.refreshAccessToken(['files.metadata.read']);
+        chai.assert.isTrue(fetchSpy.calledOnce);
+        const refreshUrl = dbxAuth.fetch.getCall(0).args[0];
+
+        chai.assert.equal(refreshUrl, 'https://api.dropboxapi.com/oauth2/token');
       });
 
-      const fetchSpy = sinon.spy(dbxAuth, 'fetch');
-      dbxAuth.refreshAccessToken(['files.metadata.read']);
-      chai.assert.isTrue(fetchSpy.calledOnce);
-      const refreshUrl = dbxAuth.fetch.getCall(0).args[0];
-      const { headers } = dbxAuth.fetch.getCall(0).args[1];
-      const testScopeUrl = `${testRefreshUrl}&scope=files.metadata.read`;
-      chai.assert.equal(refreshUrl, testScopeUrl);
-      chai.assert.equal(headers['Content-Type'], 'application/json');
+      it('sends the client id and secret in the body', () => {
+        const dbxAuth = new DropboxAuth({
+          clientId: 'foo',
+          clientSecret: 'bar',
+          dataOnBody,
+        });
+
+        const fetchSpy = sinon.spy(dbxAuth, 'fetch');
+        dbxAuth.refreshAccessToken();
+        chai.assert.isTrue(fetchSpy.calledOnce);
+
+        const { body } = dbxAuth.fetch.getCall(0).args[1];
+        chai.assert.equal(body.client_id, 'foo');
+        chai.assert.equal(body.client_secret, 'bar');
+      });
+
+      it('sends the scope in the body when passed', () => {
+        const dbxAuth = new DropboxAuth({
+          clientId: 'foo',
+          clientSecret: 'bar',
+          dataOnBody,
+        });
+
+        const fetchSpy = sinon.spy(dbxAuth, 'fetch');
+        dbxAuth.refreshAccessToken(['files.metadata.read']);
+        chai.assert.isTrue(fetchSpy.calledOnce);
+
+        const { body } = dbxAuth.fetch.getCall(0).args[1];
+        chai.assert.equal(body.scope, 'files.metadata.read');
+      });
+    });
+
+    describe('when dataOnBody flag is disabled', () => {
+      const dataOnBody = false;
+      const testRefreshUrl = 'https://api.dropboxapi.com/oauth2/token?grant_type=refresh_token&refresh_token=undefined&client_id=foo&client_secret=bar';
+
+      it('sets the correct refresh url (no scope passed)', () => {
+        const dbxAuth = new DropboxAuth({
+          clientId: 'foo',
+          clientSecret: 'bar',
+          dataOnBody,
+        });
+
+        const fetchSpy = sinon.spy(dbxAuth, 'fetch');
+        dbxAuth.refreshAccessToken();
+        chai.assert.isTrue(fetchSpy.calledOnce);
+        const refreshUrl = dbxAuth.fetch.getCall(0).args[0];
+        const { headers } = dbxAuth.fetch.getCall(0).args[1];
+        chai.assert.equal(refreshUrl, testRefreshUrl);
+        chai.assert.equal(headers['Content-Type'], 'application/json');
+      });
+
+      it('sets the correct refresh url (scope passed)', () => {
+        const dbxAuth = new DropboxAuth({
+          clientId: 'foo',
+          clientSecret: 'bar',
+          dataOnBody,
+        });
+
+        const fetchSpy = sinon.spy(dbxAuth, 'fetch');
+        dbxAuth.refreshAccessToken(['files.metadata.read']);
+        chai.assert.isTrue(fetchSpy.calledOnce);
+        const refreshUrl = dbxAuth.fetch.getCall(0).args[0];
+        const { headers } = dbxAuth.fetch.getCall(0).args[1];
+        const testScopeUrl = `${testRefreshUrl}&scope=files.metadata.read`;
+        chai.assert.equal(refreshUrl, testScopeUrl);
+        chai.assert.equal(headers['Content-Type'], 'application/json');
+      });
     });
   });
 });

types/index.d.ts

@@ -23,6 +23,8 @@ export interface DropboxAuthOptions {
   domainDelimiter?: string;
   // An object (in the form of header: value) designed to set custom headers to use during a request.
   customHeaders?: object;
+  // Whether request data is sent on body or as URL params. Defaults to false.
+  dataOnBody?: boolean;
 }
 
 export class DropboxAuth {