Instantly share code, notes, and snippets.
Last active
April 24, 2024 08:54
-
Star
(0)
0
You must be signed in to star a gist -
Fork
(0)
0
You must be signed in to fork a gist
-
Save htammen/62fa76658c14080e12af8a7777eb5117 to your computer and use it in GitHub Desktop.
Simulation of OAuth authorization grant process flow
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * This litte program allows to test HTTP redirect cookie options. | |
| * It can be used to simulate the OAuth authorization grant login process implemented | |
| * by the german eID provider DTrust. | |
| * | |
| * How to use it? | |
| * - start the application with `node cookieTest.js`. This starts a http server at Port 8000 at your localhost. | |
| * - In another terminal window run ngrok with the command `ngrok http 8000` | |
| * - you now can access your server via localhost:8000 and a ngrok https url. | |
| * - Encode the ngrok url e.g. by node.js repl command `encodeURIComponent('https://ee3f-84-58-22-35.ngrok-free.app')` | |
| * - Call http://localhost:8000/seturl?url=https%3A%2F%2F8745-84-58-22-35.ngrok-free.app in your browser | |
| * - You get a http response with thre link. | |
| * - Click at each link and see what you get back. | |
| * | |
| * The links return a redirect to the ngrok url. This url immediately also returns a redirect to another ngrok url. | |
| * To see more details inspect the network traffic in your browser. | |
| * | |
| * You find this code at https://gist.github.com/htammen/62fa76658c14080e12af8a7777eb5117 | |
| */ | |
| const http = require('http'); | |
| var url = require('url'); | |
| let secureurl = ''; | |
| let sameSite = 'Lax'; | |
| const server = http.createServer((req, res) => { | |
| if (req.url === '/somewhere/subpage') { | |
| res.writeHead(200, { | |
| 'cache-control': 'none' | |
| }); | |
| if (!req.headers.cookie) | |
| res.write('oh no, no cookies at all :('); | |
| else if (req.headers.cookie.includes('bell-custom=testValue_1')) | |
| res.write('yay cookies! :)'); | |
| else | |
| res.write('missing the cookie :('); | |
| } | |
| else if (req.url === '/') { | |
| if (req.headers.host.includes('localhost')) { | |
| res.writeHead(302, { | |
| 'Cache-Control': 'Cache-Control:max-age=0, no-cache, no-store, must-revalidate', | |
| 'Content-Type': 'text/html;charset=UTF-8' | |
| }); | |
| res.write('You must call this site from 127.0.0.1 instead of localhost ' + | |
| 'to have the bug occur. I would offer you a link, but if you click on' + | |
| ' a link or get redirected from this site to 127.0.0.1, it does work ' + | |
| 'again for some reason. So please manually visit http://127.0.0.1:8000' | |
| ); | |
| } | |
| else { | |
| res.writeHead(302, { | |
| 'Cache-Control': 'Cache-Control:max-age=0, no-cache, no-store, must-revalidate', | |
| 'Location': `${secureurl}/cookiewhere` | |
| }); | |
| } | |
| } | |
| else if (req.url === '/cookiewhere_1') { | |
| sameSite = 'None' | |
| res.writeHead(302, { | |
| 'cache-control': 'none', | |
| 'Content-Length': 0, | |
| 'Location': '/anywhere/subpage', | |
| 'Pragma': 'No-Cache', | |
| }); | |
| } | |
| else if (req.url === '/cookiewhere_2') { | |
| sameSite = 'Lax' | |
| res.writeHead(302, { | |
| 'cache-control': 'none', | |
| 'Content-Length': 0, | |
| 'Location': '/anywhere/subpage', | |
| 'Pragma': 'No-Cache', | |
| }); | |
| } | |
| else if (req.url === '/cookiewhere_3') { | |
| sameSite = 'Strict' | |
| res.writeHead(302, { | |
| 'cache-control': 'none', | |
| 'Content-Length': 0, | |
| 'Location': '/anywhere/subpage', | |
| 'Pragma': 'No-Cache', | |
| }); | |
| } | |
| else if (req.url.match('^\/seturl.*')) { | |
| var queryData = url.parse(req.url, true).query; | |
| console.log(`secureUrl: ${queryData.url}`) | |
| secureurl = queryData.url; | |
| res.writeHead(200) | |
| res.end(`<p><a href='/url1'>cookie: bell-custom=testValue_1; HttpOnly; Secure; Path=/'</a> | |
| </p><p><a href='/url2'>cookie: bell-custom=testValue_1; HttpOnly; Secure; SameSite=Lax; Path=/</a></p> | |
| <p><a href='/url3'>cookie: bell-custom=testValue_1; HttpOnly; Secure; SameSite=Strict; Path=/</a> | |
| <p>URL: ${secureurl}</p>`) | |
| } | |
| else if (req.url === '/url1') { | |
| res.writeHead(302, { | |
| // 'Cache-Control': 'Cache-Control:max-age=0, no-cache, no-store, must-revalidate', | |
| 'Location': `${secureurl}/cookiewhere_1` | |
| }); | |
| } | |
| else if (req.url === '/url2') { | |
| res.writeHead(302, { | |
| // 'Cache-Control': 'Cache-Control:max-age=0, no-cache, no-store, must-revalidate', | |
| 'Location': `${secureurl}/cookiewhere_2` | |
| }); | |
| } | |
| else if (req.url === '/url3') { | |
| res.writeHead(302, { | |
| // 'Cache-Control': 'Cache-Control:max-age=0, no-cache, no-store, must-revalidate', | |
| 'Location': `${secureurl}/cookiewhere_3` | |
| }); | |
| } | |
| else { | |
| res.writeHead(302, { | |
| 'cache-control': 'none', | |
| 'Content-Length': 0, | |
| 'Location': '/somewhere/subpage', | |
| 'Pragma': 'No-Cache', | |
| 'Set-Cookie': [ | |
| `bell-custom=testValue_1; HttpOnly; Secure; SameSite=${sameSite}; Path=/`, | |
| ] | |
| }); | |
| // 'mytestcookie=bethere; HttpOnly; SameSite=Strict; Path=/' | |
| } | |
| res.end(); | |
| }); | |
| server.on('clientError', (err, socket) => { | |
| socket.end('HTTP/1.1 400 Bad Request\r\n\r\n'); | |
| }); | |
| server.listen(8000); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment