Merge pull request #120 from auth0/sessionless

Allow sessionless authentication
auth0 · Jun 2, 2020 · 096f789 · 096f789
2 parents 94128dc + 438a593
commit 096f789
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -74,15 +74,23 @@ Strategy.prototype.authenticate = function (req, options) {
     return this.fail(req.query.error);
   }
 
-  if (req.query.code) {
-    // If the code parameter is present, authenticate() is being called on the callback route.
-    this._verify = verifyWrapper(this._verify, this.options, req.session.authParams);
-  } else {
-    // If the code parameter is not present, authenticate() is being called on the login route.
-    req.session.authParams = {};
-    req.session.authParams.scope = options.scope;
-    req.session.authParams.nonce = crypto.randomBytes(16).toString('hex');
-    this.authParams = req.session.authParams
+  if (this.options.state) {
+    if (!req.session) {
+      throw new Error('Auth0Strategy requires you set state to false when no session is present')
+    }
+
+    if (req.query.code) {
+      // If the code parameter is present, authenticate() is being called on the callback route.
+      this._verify = verifyWrapper(this._verify, this.options, req.session.authParams);
+    } else {
+      // If the code parameter is not present, authenticate() is being called on the login route.
+      req.session.authParams = {};
+      req.session.authParams.scope = options.scope;
+      req.session.authParams.nonce = crypto.randomBytes(16).toString('hex');
+      this.authParams = req.session.authParams
+    }  
+  } else if (options.scope && options.scope.includes('openid')) {
+    throw new Error('Scope "openid" is not allowed without Auth0Strategy state true')
   }
 
   this._base.authenticate.call(this, req, options);