Blacklisting invalid params in authorize url (#611)

* blacklisting invalid params in authorize url * removing tenant params
auth0 · Dec 29, 2017 · 617b292 · 617b292
1 parent 308d55f
commit 617b292
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/src/authentication/index.js b/src/authentication/index.js
@@ -139,8 +139,14 @@ Authentication.prototype.buildAuthorizeUrl = function(options) {
     params.connection_scope = params.connection_scope.join(',');
   }
 
+  params = objectHelper.blacklist(params, [
+    'username',
+    'popupOptions',
+    'domain',
+    'tenant',
+    'timeout'
+  ]);
   params = objectHelper.toSnakeCase(params, ['auth0Client']);
-  params = objectHelper.blacklist(params, ['username']);
   params = parametersWhitelist.oauthAuthorizeParams(this.warn, params);
 
   qString = qs.stringify(params);

diff --git a/test/authentication/authentication.test.js b/test/authentication/authentication.test.js
@@ -64,6 +64,17 @@ describe('auth0.authentication', function() {
       });
     });
 
+    ['username', 'popupOptions', 'domain', 'tenant', 'timeout'].forEach(function(param) {
+      it('should remove parameter: ' + param, function() {
+        var options = {};
+        options[param] = 'foobar';
+        var url = this.auth0.buildAuthorizeUrl(options);
+        expect(url).to.be(
+          'https://me.auth0.com/authorize?client_id=...&response_type=code&redirect_uri=http%3A%2F%2Fpage.com%2Fcallback'
+        );
+      });
+    });
+
     it('should return a url using the default settings', function() {
       var url = this.auth0.buildAuthorizeUrl({ state: '1234' });
 

diff --git a/test/web-auth/extensibility.test.js b/test/web-auth/extensibility.test.js
@@ -98,7 +98,7 @@ describe('auth0.WebAuth extensibility', function() {
     it('should change the content of the params', function(done) {
       stub(PopupHandler.prototype, 'load', function(url, relayUrl, options, cb) {
         expect(url).to.be(
-          'https://test.auth0.com/authorize?client_id=...&response_type=code&tenant=test&owp=true&scope=openid&redirect_uri=http%3A%2F%2Fcustom-url.com&state=randomState'
+          'https://test.auth0.com/authorize?client_id=...&response_type=code&owp=true&scope=openid&redirect_uri=http%3A%2F%2Fcustom-url.com&state=randomState'
         );
         expect(relayUrl).to.be('https://test.auth0.com/relay.html');
         expect(options).to.eql({});

diff --git a/test/web-auth/popup.test.js b/test/web-auth/popup.test.js
@@ -92,7 +92,7 @@ describe('auth0.WebAuth.popup', function() {
     it('should default scope to openid', function(done) {
       stub(PopupHandler.prototype, 'load', function(url) {
         expect(url).to.be(
-          'https://me.auth0.com/authorize?client_id=...&response_type=id_token&redirect_uri=http%3A%2F%2Fpage.com%2Fcallback&tenant=me&connection=the_connection&state=123&nonce=456&scope=openid'
+          'https://me.auth0.com/authorize?client_id=...&response_type=id_token&redirect_uri=http%3A%2F%2Fpage.com%2Fcallback&connection=the_connection&state=123&nonce=456&scope=openid'
         );
         storage.setItem.restore();
         TransactionManager.prototype.process.restore();