Smartling · ashevel-smartling · Nov 16, 2017 · Nov 28, 2017 · Nov 30, 2017 · Dec 8, 2017
diff --git a/.travis.yml b/.travis.yml
@@ -2,7 +2,6 @@ sudo: required
 dist: trusty
 language: node_js
 node_js:
-  - "4"
   - "6"
   - "7"
   - "8"

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -16,11 +16,8 @@ Discussions can be done via:
 
 Documentation:
 
-[Web site docs](http://keycloak.jboss.org/docs) - User Guide, Admin REST API and Javadocs
-
-[Git books](https://www.gitbook.com/@keycloak) - Authorization Services, Server Administration Guide, Server Developer Guide,
-Server Installation and Configuration Guide, Securing Applications and Services Guide, Getting Started Guide
-
+[Web site docs](http://www.keycloak.org/documentation.html) - Authorization Services, Server Administration Guide, Server Developer Guide,
+Server Installation and Configuration Guide, Securing Applications and Services Guide, Getting Started Guide, Admin REST API and Javadocs
 
 ## Code contributions
 

diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ authentication, including authenticating against various social networks
 and OAuth providers (G+, Facebook, etc).
 
 This module makes it simple to implement a Node.js Connect-friendly
-application that uses Keycloak for its authentication and authorization needs. For usage instructions, please read the [documentation](https://keycloak.gitbooks.io/documentation/content/securing_apps/topics/oidc/nodejs-adapter.html).
+application that uses Keycloak for its authentication and authorization needs. For usage instructions, please read the [documentation](http://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter).
 
 Reporting security vulnerabilities
 ----------------------------------

diff --git a/index.js b/index.js
@@ -258,7 +258,9 @@ Keycloak.prototype.getGrant = function (request, response) {
       self.storeGrant(grant, request, response);
       return grant;
     })
-    .catch(() => { return Promise.reject(); });
+    .catch((e) => {
+      return Promise.reject(new Error('Could not store grant code error. ' + e));
+    });
   }
 
   return Promise.reject();

diff --git a/middleware/auth-utils/grant-manager.js b/middleware/auth-utils/grant-manager.js
@@ -156,7 +156,8 @@ GrantManager.prototype.ensureFreshness = function ensureFreshness (grant, callba
 
   const params = {
     grant_type: 'refresh_token',
-    refresh_token: grant.refresh_token.token
+    refresh_token: grant.refresh_token.token,
+    client_id: this.clientId
   };
   const handler = refreshHandler(this, grant);
   const options = postOptions(this);
@@ -205,7 +206,7 @@ GrantManager.prototype.userInfo = function userInfo (token, callback) {
   const promise = new Promise((resolve, reject) => {
     const req = getProtocol(options).request(options, (response) => {
       if (response.statusCode < 200 || response.statusCode >= 300) {
-        return reject('Error fetching account');
+        return reject(new Error('Error fetching account'));
       }
       let json = '';
       response.on('data', (d) => (json += d.toString()));
@@ -282,10 +283,10 @@ GrantManager.prototype.createGrant = function createGrant (rawData) {
  */
 GrantManager.prototype.validateGrant = function validateGrant (grant) {
   var self = this;
-  const validateGrantToken = (grant, tokenName) => {
+  const validateGrantToken = (grant, tokenName, expectedType) => {
     return new Promise((resolve, reject) => {
     // check the access token
-      this.validateToken(grant[tokenName]).then(token => {
+      this.validateToken(grant[tokenName], expectedType).then(token => {
         grant[tokenName] = token;
         resolve();
       }).catch((err) => {
@@ -295,13 +296,13 @@ GrantManager.prototype.validateGrant = function validateGrant (grant) {
   };
   return new Promise((resolve, reject) => {
     var promises = [];
-    promises.push(validateGrantToken(grant, 'access_token'));
+    promises.push(validateGrantToken(grant, 'access_token', 'Bearer'));
     if (!self.bearerOnly) {
       if (grant.refresh_token) {
-        promises.push(validateGrantToken(grant, 'refresh_token'));
+        promises.push(validateGrantToken(grant, 'refresh_token', 'Refresh'));
       }
       if (grant.id_token) {
-        promises.push(validateGrantToken(grant, 'id_token'));
+        promises.push(validateGrantToken(grant, 'id_token', 'ID'));
       }
     }
     Promise.all(promises).then(() => {
@@ -328,14 +329,16 @@ GrantManager.prototype.validateGrant = function validateGrant (grant) {
  *
  * @return {Promise} That resolve a token
  */
-GrantManager.prototype.validateToken = function validateToken (token) {
+GrantManager.prototype.validateToken = function validateToken (token, expectedType) {
   return new Promise((resolve, reject) => {
     if (!token) {
       reject(new Error('invalid token (missing)'));
     } else if (token.isExpired()) {
       reject(new Error('invalid token (expired)'));
     } else if (!token.signed) {
       reject(new Error('invalid token (not signed)'));
+    } else if (token.content.typ !== expectedType) {
+      reject(new Error('invalid token (wrong type)'));
     } else if (token.content.iat < this.notBefore) {
       reject(new Error('invalid token (future dated)'));
     } else if (token.content.iss !== this.realmUrl) {
@@ -363,8 +366,8 @@ GrantManager.prototype.validateToken = function validateToken (token) {
           } else {
             resolve(token);
           }
-        }, () => {
-          reject(new Error('failed to load public key to verify token'));
+        }).catch((err) => {
+          reject(new Error('failed to load public key to verify token. Reason: ' + err.message));
         });
       }
     }

diff --git a/middleware/auth-utils/rotation.js b/middleware/auth-utils/rotation.js
@@ -40,7 +40,7 @@ Rotation.prototype.retrieveJWKs = function retrieveJWKs (callback) {
   const promise = new Promise((resolve, reject) => {
     const req = getProtocol(options).request(options, (response) => {
       if (response.statusCode < 200 || response.statusCode >= 300) {
-        return reject('Error fetching JWK Keys');
+        return reject(new Error('Error fetching JWK Keys'));
       }
       let json = '';
       response.on('data', (d) => (json += d.toString()));

diff --git a/middleware/auth-utils/token.js b/middleware/auth-utils/token.js
@@ -39,6 +39,7 @@ function Token (token, clientId) {
       this.signature = new Buffer(parts[2], 'base64');
       this.signed = parts[0] + '.' + parts[1];
     } catch (err) {
+      console.error('Failed to parse JWT token', err);
       this.content = {
         exp: 0
       };

diff --git a/middleware/grant-attacher.js b/middleware/grant-attacher.js
@@ -21,6 +21,12 @@ module.exports = function (keycloak) {
       .then(grant => {
         request.kauth.grant = grant;
       })
-      .then(next).catch(() => next());
+      .then(next).catch(err => {
+        // err can be undefined
+        if (err) {
+          console.error('Failed to get grant', err);
+        }
+        next();
+      });
   };
 };
diff --git a/middleware/post-auth.js b/middleware/post-auth.js
@@ -37,6 +37,7 @@ module.exports = function (keycloak) {
         delete urlParts.query.code;
         delete urlParts.query.auth_callback;
         delete urlParts.query.state;
+        delete urlParts.query.session_state;
 
         let cleanUrl = URL.format(urlParts);
 
@@ -48,8 +49,8 @@ module.exports = function (keycloak) {
         }
         response.redirect(cleanUrl);
       }).catch((err) => {
-        keycloak.accessDenied(request, response);
-        console.error('Could not obtain grant code: ' + err);
+        keycloak.accessDenied(request, response, next);
+        console.error('Could not obtain grant code', err);
       });
   };
 };
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,6 @@ sudo: required @@
     dist: trusty
     language: node_js
     node_js:
-      - "4"
       - "6"
       - "7"
       - "8"
@@ Expand Down @@