fix: support number and strings for id params but pass original params to model

jankapunkt · jankapunkt · commit f3d77addc808 · 2026-01-29T15:10:15.000+01:00
diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js
@@ -84,13 +84,15 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
       throw new InvalidRequestError('Invalid parameter: `code`');
     }
 
+    // normalize string|number to string
     const requestCode = toString(request.body.code);
 
     if (!isFormat.vschar(requestCode)) {
       throw new InvalidRequestError('Invalid parameter: `code`');
     }
 
-    const code = await this.model.getAuthorizationCode(requestCode);
+    // XXX: still passing the original value from request to model
+    const code = await this.model.getAuthorizationCode(request.body.code);
 
     if (!code) {
       throw new InvalidGrantError('Invalid grant: authorization code is invalid');
diff --git a/lib/grant-types/refresh-token-grant-type.js b/lib/grant-types/refresh-token-grant-type.js
@@ -81,7 +81,7 @@ class RefreshTokenGrantType extends AbstractGrantType {
       throw new InvalidRequestError('Invalid parameter: `refresh_token`');
     }
 
-    const token = await this.model.getRefreshToken(refreshToken);
+    const token = await this.model.getRefreshToken(request.body.refresh_token);
 
     if (!token) {
       throw new InvalidGrantError('Invalid grant: refresh token is invalid');
diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
@@ -173,6 +173,7 @@ class AuthorizeHandler {
 
     const redirectUri = request.body.redirect_uri || request.query.redirect_uri;
 
+    // XXX: why is there no 'Missing parameter: `redirect_uri`' error?
     if (isDefined(redirectUri) && (!isString(redirectUri) || !isFormat.uri(redirectUri))) {
       throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
     }
diff --git a/lib/handlers/token-handler.js b/lib/handlers/token-handler.js
@@ -18,6 +18,8 @@ const UnsupportedGrantTypeError = require('../errors/unsupported-grant-type-erro
 const auth = require('basic-auth');
 const pkce = require('../pkce/pkce');
 const isFormat = require('@node-oauth/formats');
+const { isInTypes, toString } = require('../utils/param-util');
+const isStringOrNumber = isInTypes('string', 'number');
 
 /**
  * Grant types.
@@ -123,7 +125,7 @@ class TokenHandler {
       throw new InvalidRequestError('Missing parameter: `client_secret`');
     }
 
-    if (!isFormat.vschar(credentials.clientId)) {
+    if (!isStringOrNumber(credentials.clientId) || !isFormat.vschar(toString(credentials.clientId))) {
       throw new InvalidRequestError('Invalid parameter: `client_id`');
     }
 
diff --git a/lib/utils/scope-util.js b/lib/utils/scope-util.js
@@ -1,6 +1,8 @@
 const isFormat = require('@node-oauth/formats');
 const InvalidScopeError = require('../errors/invalid-scope-error');
+const { isInTypes } = require('../utils/param-util');
 const whiteSpace = /\s+/g;
+const isString = isInTypes('string');
 
 /**
  * @module ScopeUtil
@@ -22,7 +24,7 @@ function parseScope (requestedScope) {
     return undefined;
   }
 
-  if (typeof requestedScope !== 'string') {
+  if (!isString(requestedScope)) {
     throw new InvalidScopeError('Invalid parameter: `scope`');
   }
 

Original file line number	Diff line number	Diff line change
`@@ -84,13 +84,15 @@ class AuthorizationCodeGrantType extends AbstractGrantType {`
`84`	`84`	throw new InvalidRequestError('Invalid parameter: `code`');
`85`	`85`	`}`
`86`	`86`
	`87`	`+ // normalize string\|number to string`
`87`	`88`	`const requestCode = toString(request.body.code);`
`88`	`89`
`89`	`90`	`if (!isFormat.vschar(requestCode)) {`
`90`	`91`	throw new InvalidRequestError('Invalid parameter: `code`');
`91`	`92`	`}`
`92`	`93`
`93`		`- const code = await this.model.getAuthorizationCode(requestCode);`
	`94`	`+ // XXX: still passing the original value from request to model`
	`95`	`+ const code = await this.model.getAuthorizationCode(request.body.code);`
`94`	`96`
`95`	`97`	`if (!code) {`
`96`	`98`	`throw new InvalidGrantError('Invalid grant: authorization code is invalid');`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ class RefreshTokenGrantType extends AbstractGrantType {`
`81`	`81`	throw new InvalidRequestError('Invalid parameter: `refresh_token`');
`82`	`82`	`}`
`83`	`83`
`84`		`- const token = await this.model.getRefreshToken(refreshToken);`
	`84`	`+ const token = await this.model.getRefreshToken(request.body.refresh_token);`
`85`	`85`
`86`	`86`	`if (!token) {`
`87`	`87`	`throw new InvalidGrantError('Invalid grant: refresh token is invalid');`
Original file line number	Diff line number	Diff line change
`@@ -173,6 +173,7 @@ class AuthorizeHandler {`
`173`	`173`
`174`	`174`	`const redirectUri = request.body.redirect_uri \|\| request.query.redirect_uri;`
`175`	`175`
	`176`	+ // XXX: why is there no 'Missing parameter: `redirect_uri`' error?
`176`	`177`	`if (isDefined(redirectUri) && (!isString(redirectUri) \|\| !isFormat.uri(redirectUri))) {`
`177`	`178`	throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
`178`	`179`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ const UnsupportedGrantTypeError = require('../errors/unsupported-grant-type-erro`
`18`	`18`	`const auth = require('basic-auth');`
`19`	`19`	`const pkce = require('../pkce/pkce');`
`20`	`20`	`const isFormat = require('@node-oauth/formats');`
	`21`	`+const { isInTypes, toString } = require('../utils/param-util');`
	`22`	`+const isStringOrNumber = isInTypes('string', 'number');`
`21`	`23`
`22`	`24`	`/**`
`23`	`25`	`* Grant types.`
`@@ -123,7 +125,7 @@ class TokenHandler {`
`123`	`125`	throw new InvalidRequestError('Missing parameter: `client_secret`');
`124`	`126`	`}`
`125`	`127`
`126`		`- if (!isFormat.vschar(credentials.clientId)) {`
	`128`	`+ if (!isStringOrNumber(credentials.clientId) \|\| !isFormat.vschar(toString(credentials.clientId))) {`
`127`	`129`	throw new InvalidRequestError('Invalid parameter: `client_id`');
`128`	`130`	`}`
`129`	`131`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`const isFormat = require('@node-oauth/formats');`
`2`	`2`	`const InvalidScopeError = require('../errors/invalid-scope-error');`
	`3`	`+const { isInTypes } = require('../utils/param-util');`
`3`	`4`	`const whiteSpace = /\s+/g;`
	`5`	`+const isString = isInTypes('string');`
`4`	`6`
`5`	`7`	`/**`
`6`	`8`	`* @module ScopeUtil`
`@@ -22,7 +24,7 @@ function parseScope (requestedScope) {`
`22`	`24`	`return undefined;`
`23`	`25`	`}`
`24`	`26`
`25`		`- if (typeof requestedScope !== 'string') {`
	`27`	`+ if (!isString(requestedScope)) {`
`26`	`28`	throw new InvalidScopeError('Invalid parameter: `scope`');
`27`	`29`	`}`
`28`	`30`