From 83313709eab651f8c29da10a4e313ae85dee448f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20Orb=C3=A1n?= Date: Fri, 11 Dec 2020 22:43:26 +0100 Subject: [PATCH] chore: fix casing of OAuth --- src/lib/errors.js | 2 +- src/server/index.js | 2 +- src/server/lib/callback-handler.js | 22 +++++++++++----------- src/server/lib/oauth/callback.js | 6 +++--- src/server/lib/oauth/client.js | 4 ++-- src/server/lib/signin/oauth.js | 4 ++-- src/server/routes/callback.js | 2 +- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/lib/errors.js b/src/lib/errors.js index 147d535101..f73e977826 100644 --- a/src/lib/errors.js +++ b/src/lib/errors.js @@ -25,7 +25,7 @@ class CreateUserError extends UnknownError { } // Thrown when an Email address is already associated with an account -// but the user is trying an oAuth account that is not linked to it. +// but the user is trying an OAuth account that is not linked to it. class AccountNotLinkedError extends UnknownError { constructor (message) { super(message) diff --git a/src/server/index.js b/src/server/index.js index 2b47a2e635..2ea1085054 100644 --- a/src/server/index.js +++ b/src/server/index.js @@ -62,7 +62,7 @@ async function NextAuth (req, res, userSuppliedOptions) { // Secret used salt cookies and tokens (e.g. for CSRF protection). // If no secret option is specified then it creates one on the fly // based on options passed here. A options contains unique data, such as - // oAuth provider secrets and database credentials it should be sufficent. + // OAuth provider secrets and database credentials it should be sufficent. const secret = userSuppliedOptions.secret || createHash('sha256').update(JSON.stringify({ baseUrl, basePath, ...userSuppliedOptions })).digest('hex') // Use secure cookies if the site uses HTTPS diff --git a/src/server/lib/callback-handler.js b/src/server/lib/callback-handler.js index 6fdd052456..aea6d48b68 100644 --- a/src/server/lib/callback-handler.js +++ b/src/server/lib/callback-handler.js @@ -2,10 +2,10 @@ // linking (or not linking) accounts depending on if the user is currently logged // in, if they have account already and the authentication mechanism they are using. // -// It prevents insecure behaviour, such as linking oAuth accounts unless a user is +// It prevents insecure behaviour, such as linking OAuth accounts unless a user is // signed in and authenticated with an existing valid account. // -// All verification (e.g. oAuth flows or email address verificaiton flows) are +// All verification (e.g. OAuth flows or email address verificaiton flows) are // done prior to this handler being called to avoid additonal complexity in this // handler. import { AccountNotLinkedError } from '../../lib/errors' @@ -136,7 +136,7 @@ export default async (sessionToken, profile, providerAccount, options) => { } } else { if (isSignedIn) { - // If the user is already signed in and the oAuth account isn't already associated + // If the user is already signed in and the OAuth account isn't already associated // with another user account then we can go ahead and link the accounts safely. await linkAccount( user.id, @@ -157,28 +157,28 @@ export default async (sessionToken, profile, providerAccount, options) => { } } - // If the user is not signed in and it looks like a new oAuth account then we + // If the user is not signed in and it looks like a new OAuth account then we // check there also isn't an user account already associated with the same - // email address as the one in the oAuth profile. + // email address as the one in the OAuth profile. // - // This step is often overlooked in oAuth implementations, but covers the following cases: + // This step is often overlooked in OAuth implementations, but covers the following cases: // // 1. It makes it harder for someone to accidentally create two accounts. // e.g. by signin in with email, then again with an oauth account connected to the same email. - // 2. It makes it harder to hijack a user account using a 3rd party oAuth account. + // 2. It makes it harder to hijack a user account using a 3rd party OAuth account. // e.g. by creating an oauth account then changing the email address associated with it. // // It's quite common for services to automatically link accounts in this case, but it's // better practice to require the user to sign in *then* link accounts to be sure - // someone is not exploiting a problem with a third party oAuth service. + // someone is not exploiting a problem with a third party OAuth service. // - // oAuth providers should require email address verification to prevent this, but in + // OAuth providers should require email address verification to prevent this, but in // practice that is not always the case; this helps protect against that. const userByEmail = profile.email ? await getUserByEmail(profile.email) : null if (userByEmail) { // We end up here when we don't have an account with the same [provider].id *BUT* // we do already have an account with the same email address as the one in the - // oAuth profile the user has just tried to sign in with. + // OAuth profile the user has just tried to sign in with. // // We don't want to have two accounts with the same email address, and we don't // want to link them in case it's not safe to do so, so instead we prompt the user @@ -189,7 +189,7 @@ export default async (sessionToken, profile, providerAccount, options) => { // accounts (by email or provider account id)... // // If no account matching the same [provider].id or .email exists, we can - // create a new account for the user, link it to the oAuth acccount and + // create a new account for the user, link it to the OAuth acccount and // create a new session for them so they are signed in with it. user = await createUser(profile) await dispatchEvent(events.createUser, user) diff --git a/src/server/lib/oauth/callback.js b/src/server/lib/oauth/callback.js index e19020dfc1..16d6eaeae7 100644 --- a/src/server/lib/oauth/callback.js +++ b/src/server/lib/oauth/callback.js @@ -28,7 +28,7 @@ export default async (req, provider, csrfToken, callback) => { if (!Object.prototype.hasOwnProperty.call(provider, 'state') || provider.state === true) { const expectedState = createHash('sha256').update(csrfToken).digest('hex') if (state !== expectedState) { - return callback(new Error('Invalid state returned from oAuth provider')) + return callback(new Error('Invalid state returned from OAuth provider')) } } @@ -103,7 +103,7 @@ export default async (req, provider, csrfToken, callback) => { } ) } else { - // Handle oAuth v1.x + // Handle OAuth v1.x await client.getOAuthAccessToken( oauth_token, null, @@ -211,7 +211,7 @@ async function _getOAuthAccessToken (code, provider, callback) { if (!params.redirect_uri) { params.redirect_uri = provider.callbackUrl } if (!headers['Content-Type']) { headers['Content-Type'] = 'application/x-www-form-urlencoded' } - // Added as a fix to accomodate change in Twitch oAuth API + // Added as a fix to accomodate change in Twitch OAuth API if (!headers['Client-ID']) { headers['Client-ID'] = provider.clientId } // Added as a fix for Reddit Authentication if (provider.id === 'reddit') { diff --git a/src/server/lib/oauth/client.js b/src/server/lib/oauth/client.js index dd2a9f0481..18bdfff581 100644 --- a/src/server/lib/oauth/client.js +++ b/src/server/lib/oauth/client.js @@ -5,7 +5,7 @@ import { OAuth, OAuth2 } from 'oauth' export default (provider) => { if (provider.version && provider.version.startsWith('2.')) { - // Handle oAuth v2.x + // Handle OAuth v2.x const basePath = new URL(provider.authorizationUrl).origin const authorizePath = new URL(provider.authorizationUrl).pathname const accessTokenPath = new URL(provider.accessTokenUrl).pathname @@ -17,7 +17,7 @@ export default (provider) => { accessTokenPath, provider.headers) } else { - // Handle oAuth v1.x + // Handle OAuth v1.x return new OAuth( provider.requestTokenUrl, provider.accessTokenUrl, diff --git a/src/server/lib/signin/oauth.js b/src/server/lib/signin/oauth.js index 3584efe564..13eada068c 100644 --- a/src/server/lib/signin/oauth.js +++ b/src/server/lib/signin/oauth.js @@ -6,7 +6,7 @@ export default (provider, csrfToken, callback, authParams) => { const { callbackUrl } = provider const client = oAuthClient(provider) if (provider.version && provider.version.startsWith('2.')) { - // Handle oAuth v2.x + // Handle OAuth v2.x let url = client.getAuthorizeUrl({ ...authParams, redirect_uri: provider.callbackUrl, @@ -31,7 +31,7 @@ export default (provider, csrfToken, callback, authParams) => { callback(null, url) } else { - // Handle oAuth v1.x + // Handle OAuth v1.x client.getOAuthRequestToken((error, oAuthToken) => { if (error) { logger.error('GET_AUTHORISATION_URL_ERROR', error) diff --git a/src/server/routes/callback.js b/src/server/routes/callback.js index 138861e9c5..cd9ee488ca 100644 --- a/src/server/routes/callback.js +++ b/src/server/routes/callback.js @@ -118,7 +118,7 @@ export default async (req, res, options, done) => { return redirect(callbackUrl || baseUrl) } catch (error) { if (error.name === 'AccountNotLinkedError') { - // If the email on the account is already linked, but nto with this oAuth account + // If the email on the account is already linked, but nto with this OAuth account return redirect(`${baseUrl}${basePath}/error?error=OAuthAccountNotLinked`) } else if (error.name === 'CreateUserError') { return redirect(`${baseUrl}${basePath}/error?error=OAuthCreateAccount`)