feat: OAuth 2.0 Client Credentials as Basic Auth - request logic

pietrygamat · pietrygamat · commit d4e91a8b4794 · 2024-06-05T21:00:36.000+02:00
#2106
diff --git a/packages/bruno-electron/src/ipc/network/index.js b/packages/bruno-electron/src/ipc/network/index.js
@@ -205,34 +205,48 @@ const configureRequest = async (
   if (request.oauth2) {
     let requestCopy = cloneDeep(request);
     switch (request?.oauth2?.grantType) {
-      case 'authorization_code':
+      case 'authorization_code': {
         interpolateVars(requestCopy, envVars, collectionVariables, processEnvVars);
-        const { data: authorizationCodeData, url: authorizationCodeAccessTokenUrl } =
-          await resolveOAuth2AuthorizationCodeAccessToken(requestCopy, collectionUid);
+        const {
+          headers: optionalBasicAuthHeader,
+          data: authorizationCodeData,
+          url: authorizationCodeAccessTokenUrl
+        } = await resolveOAuth2AuthorizationCodeAccessToken(requestCopy, collectionUid);
         request.method = 'POST';
         request.headers['content-type'] = 'application/x-www-form-urlencoded';
+        request.headers = { ...request.headers, ...optionalBasicAuthHeader };
         request.data = authorizationCodeData;
         request.url = authorizationCodeAccessTokenUrl;
         break;
-      case 'client_credentials':
+      }
+      case 'client_credentials': {
         interpolateVars(requestCopy, envVars, collectionVariables, processEnvVars);
-        const { data: clientCredentialsData, url: clientCredentialsAccessTokenUrl } =
-          await transformClientCredentialsRequest(requestCopy);
+        const {
+          headers: optionalBasicAuthHeader,
+          data: clientCredentialsData,
+          url: clientCredentialsAccessTokenUrl
+        } = await transformClientCredentialsRequest(requestCopy);
         request.method = 'POST';
         request.headers['content-type'] = 'application/x-www-form-urlencoded';
+        request.headers = { ...request.headers, ...optionalBasicAuthHeader };
         request.data = clientCredentialsData;
         request.url = clientCredentialsAccessTokenUrl;
         break;
-      case 'password':
+      }
+      case 'password': {
         interpolateVars(requestCopy, envVars, collectionVariables, processEnvVars);
-        const { data: passwordData, url: passwordAccessTokenUrl } = await transformPasswordCredentialsRequest(
-          requestCopy
-        );
+        const {
+          headers: optionalBasicAuthHeader,
+          data: passwordData,
+          url: passwordAccessTokenUrl
+        } = await transformPasswordCredentialsRequest(requestCopy);
         request.method = 'POST';
         request.headers['content-type'] = 'application/x-www-form-urlencoded';
+        request.headers = { ...request.headers, ...optionalBasicAuthHeader };
         request.data = passwordData;
         request.url = passwordAccessTokenUrl;
         break;
+      }
     }
   }
 
diff --git a/packages/bruno-electron/src/ipc/network/interpolate-vars.js b/packages/bruno-electron/src/ipc/network/interpolate-vars.js
@@ -139,53 +139,33 @@ const interpolateVars = (request, envVars = {}, collectionVariables = {}, proces
   }
 
   if (request?.oauth2?.grantType) {
-    let username, password, scope, clientId, clientSecret;
     switch (request.oauth2.grantType) {
       case 'password':
-        username = _interpolate(request.oauth2.username) || '';
-        password = _interpolate(request.oauth2.password) || '';
-        clientId = _interpolate(request.oauth2.clientId) || '';
-        clientSecret = _interpolate(request.oauth2.clientSecret) || '';
-        scope = _interpolate(request.oauth2.scope) || '';
         request.oauth2.accessTokenUrl = _interpolate(request.oauth2.accessTokenUrl) || '';
-        request.oauth2.username = username;
-        request.oauth2.password = password;
-        request.oauth2.clientId = clientId;
-        request.oauth2.clientSecret = clientSecret;
-        request.oauth2.scope = scope;
-        request.data = {
-          grant_type: 'password',
-          username,
-          password,
-          client_id: clientId,
-          client_secret: clientSecret,
-          scope
-        };
+        request.oauth2.username = _interpolate(request.oauth2.username) || '';
+        request.oauth2.password = _interpolate(request.oauth2.password) || '';
+        request.oauth2.clientId = _interpolate(request.oauth2.clientId) || '';
+        request.oauth2.clientSecret = _interpolate(request.oauth2.clientSecret) || '';
+        request.oauth2.clientSecretMethod = _interpolate(request.oauth2.clientSecretMethod) || '';
+        request.oauth2.scope = _interpolate(request.oauth2.scope) || '';
         break;
       case 'authorization_code':
         request.oauth2.callbackUrl = _interpolate(request.oauth2.callbackUrl) || '';
         request.oauth2.authorizationUrl = _interpolate(request.oauth2.authorizationUrl) || '';
         request.oauth2.accessTokenUrl = _interpolate(request.oauth2.accessTokenUrl) || '';
         request.oauth2.clientId = _interpolate(request.oauth2.clientId) || '';
         request.oauth2.clientSecret = _interpolate(request.oauth2.clientSecret) || '';
+        request.oauth2.clientSecretMethod = _interpolate(request.oauth2.clientSecretMethod) || '';
         request.oauth2.scope = _interpolate(request.oauth2.scope) || '';
         request.oauth2.state = _interpolate(request.oauth2.state) || '';
         request.oauth2.pkce = _interpolate(request.oauth2.pkce) || false;
         break;
       case 'client_credentials':
-        clientId = _interpolate(request.oauth2.clientId) || '';
-        clientSecret = _interpolate(request.oauth2.clientSecret) || '';
-        scope = _interpolate(request.oauth2.scope) || '';
         request.oauth2.accessTokenUrl = _interpolate(request.oauth2.accessTokenUrl) || '';
-        request.oauth2.clientId = clientId;
-        request.oauth2.clientSecret = clientSecret;
-        request.oauth2.scope = scope;
-        request.data = {
-          grant_type: 'client_credentials',
-          client_id: clientId,
-          client_secret: clientSecret,
-          scope
-        };
+        request.oauth2.clientId = _interpolate(request.oauth2.clientId) || '';
+        request.oauth2.clientSecret = _interpolate(request.oauth2.clientSecret) || '';
+        request.oauth2.clientSecretMethod = _interpolate(request.oauth2.clientSecretMethod) || '';
+        request.oauth2.scope = _interpolate(request.oauth2.scope) || '';
         break;
       default:
         break;
diff --git a/packages/bruno-electron/src/ipc/network/oauth2-helper.js b/packages/bruno-electron/src/ipc/network/oauth2-helper.js
@@ -3,6 +3,28 @@ const crypto = require('crypto');
 const { authorizeUserInWindow } = require('./authorize-user-in-window');
 const Oauth2Store = require('../../store/oauth2');
 
+const clientCredentials = (clientId, clientSecret, clientSecretMethod) => {
+  let credentialsInBody;
+  let credentialsInHeader;
+  if (clientSecret) {
+    switch (clientSecretMethod) {
+      case 'client_credentials_post': {
+        credentialsInBody = {
+          client_secret: clientSecret,
+          client_id: clientId
+        };
+        break;
+      }
+      case 'client_credentials_basic': {
+        const credentials = 'Basic ' + Buffer.from(clientId + ':' + clientSecret).toString('base64');
+        credentialsInHeader = { Authorization: credentials };
+        break;
+      }
+    }
+  }
+  return { credentialsInHeader, credentialsInBody };
+};
+
 const generateCodeVerifier = () => {
   return crypto.randomBytes(22).toString('hex');
 };
@@ -23,22 +45,23 @@ const resolveOAuth2AuthorizationCodeAccessToken = async (request, collectionUid)
   let requestCopy = cloneDeep(request);
   const { authorizationCode } = await getOAuth2AuthorizationCode(requestCopy, codeChallenge, collectionUid);
   const oAuth = get(requestCopy, 'oauth2', {});
-  const { clientId, clientSecret, callbackUrl, scope, state, pkce } = oAuth;
+  const { clientId, clientSecret, clientSecretMethod, callbackUrl, scope, state, pkce } = oAuth;
+  const { optionalCredentialsInBody, optionalCredentialsInHeader } = clientCredentials(clientId, clientSecret, clientSecretMethod);
   const data = {
     grant_type: 'authorization_code',
     code: authorizationCode,
     redirect_uri: callbackUrl,
-    client_id: clientId,
-    client_secret: clientSecret,
     scope: scope,
-    state: state
+    state: state,
+    ...optionalCredentialsInBody
   };
   if (pkce) {
     data['code_verifier'] = codeVerifier;
   }
 
   const url = requestCopy?.oauth2?.accessTokenUrl;
   return {
+    headers: optionalCredentialsInHeader,
     data,
     url
   };
@@ -84,15 +107,17 @@ const getOAuth2AuthorizationCode = (request, codeChallenge, collectionUid) => {
 const transformClientCredentialsRequest = async (request) => {
   let requestCopy = cloneDeep(request);
   const oAuth = get(requestCopy, 'oauth2', {});
-  const { clientId, clientSecret, scope } = oAuth;
-  const data = {
+  const { clientId, clientSecret, clientSecretMethod, scope } = oAuth;
+  const { optionalCredentialsInBody, optionalCredentialsInHeader } = clientCredentials(clientId, clientSecret, clientSecretMethod);
+  let data = {
     grant_type: 'client_credentials',
-    client_id: clientId,
-    client_secret: clientSecret,
-    scope
+    scope,
+    ...optionalCredentialsInBody
   };
+
   const url = requestCopy?.oauth2?.accessTokenUrl;
   return {
+    headers: optionalCredentialsInHeader,
     data,
     url
   };
@@ -103,17 +128,19 @@ const transformClientCredentialsRequest = async (request) => {
 const transformPasswordCredentialsRequest = async (request) => {
   let requestCopy = cloneDeep(request);
   const oAuth = get(requestCopy, 'oauth2', {});
-  const { username, password, clientId, clientSecret, scope } = oAuth;
-  const data = {
+  const { username, password, clientId, clientSecret, clientSecretMethod, scope } = oAuth;
+  const { optionalCredentialsInBody, optionalCredentialsInHeader } = clientCredentials(clientId, clientSecret, clientSecretMethod);
+  let data = {
     grant_type: 'password',
     username,
     password,
-    client_id: clientId,
-    client_secret: clientSecret,
-    scope
+    scope,
+    ...optionalCredentialsInBody
   };
+
   const url = requestCopy?.oauth2?.accessTokenUrl;
   return {
+    headers: optionalCredentialsInHeader,
     data,
     url
   };
diff --git a/packages/bruno-electron/src/ipc/network/prepare-request.js b/packages/bruno-electron/src/ipc/network/prepare-request.js
@@ -100,6 +100,7 @@ const setAuthHeaders = (axiosRequest, request, collectionRoot) => {
               password: get(request, 'auth.oauth2.password'),
               clientId: get(request, 'auth.oauth2.clientId'),
               clientSecret: get(request, 'auth.oauth2.clientSecret'),
+              clientSecretMethod: get(request, 'auth.oauth2.clientSecretMethod'),
               scope: get(request, 'auth.oauth2.scope')
             };
             break;
@@ -111,6 +112,7 @@ const setAuthHeaders = (axiosRequest, request, collectionRoot) => {
               accessTokenUrl: get(request, 'auth.oauth2.accessTokenUrl'),
               clientId: get(request, 'auth.oauth2.clientId'),
               clientSecret: get(request, 'auth.oauth2.clientSecret'),
+              clientSecretMethod: get(request, 'auth.oauth2.clientSecretMethod'),
               scope: get(request, 'auth.oauth2.scope'),
               state: get(request, 'auth.oauth2.state'),
               pkce: get(request, 'auth.oauth2.pkce')
@@ -122,6 +124,7 @@ const setAuthHeaders = (axiosRequest, request, collectionRoot) => {
               accessTokenUrl: get(request, 'auth.oauth2.accessTokenUrl'),
               clientId: get(request, 'auth.oauth2.clientId'),
               clientSecret: get(request, 'auth.oauth2.clientSecret'),
+              clientSecretMethod: get(request, 'auth.oauth2.clientSecretMethod'),
               scope: get(request, 'auth.oauth2.scope')
             };
             break;
