From 17b789822de64eb845e1e8e49ea83dbff56344f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20Orb=C3=A1n?= <info@balazsorban.com>
Date: Wed, 14 Apr 2021 21:26:15 +0200
Subject: [PATCH] fix: make oauth_token_secret and oauth_token available
 (#1322)

* fix: add oauth_token_secret to requests

* chore: remove console.log

* refactor: follow casing from response
---
 src/server/lib/oauth/callback.js | 18 ++++++++++++------
 src/server/lib/oauth/client.js   | 23 ++++++++++++++++++-----
 src/server/lib/signin/oauth.js   | 18 +++++++++++++-----
 3 files changed, 43 insertions(+), 16 deletions(-)

diff --git a/src/server/lib/oauth/callback.js b/src/server/lib/oauth/callback.js
index c33fcc7d62..d886cde391 100644
--- a/src/server/lib/oauth/callback.js
+++ b/src/server/lib/oauth/callback.js
@@ -59,14 +59,16 @@ export default async function oAuthCallback (req) {
 
   try {
     // Handle OAuth v1.x
-    const {
-      oauth_token: oauthToken, oauth_verifier: oauthVerifier
-    } = req.query
-    const tokens = await client.getOAuthAccessToken(oauthToken, null, oauthVerifier)
+    // eslint-disable-next-line camelcase
+    const { oauth_token, oauth_verifier } = req.query
+
+    // eslint-disable-next-line camelcase
+    const { token_secret } = await client.getOAuthRequestToken(provider.params)
+    const tokens = await client.getOAuthAccessToken(oauth_token, token_secret, oauth_verifier)
     const profileData = await client.get(
       provider.profileUrl,
-      tokens.accessToken,
-      tokens.refreshToken
+      tokens.oauth_token,
+      tokens.oauth_token_secret
     )
 
     return getProfile({ profileData, tokens, provider })
@@ -89,6 +91,10 @@ export default async function oAuthCallback (req) {
  *     expires_in?: string | Date | null
  *     refresh_token?: string
  *     id_token?: string
+ *     token?: string
+ *     token_secret?: string
+ *     tokenSecret?: string
+ *     params?: any
  *   }
  *   provider: import("../..").Provider
  *   user?: object
diff --git a/src/server/lib/oauth/client.js b/src/server/lib/oauth/client.js
index e0b1863045..f0b8d73d4b 100644
--- a/src/server/lib/oauth/client.js
+++ b/src/server/lib/oauth/client.js
@@ -54,23 +54,36 @@ export default function oAuthClient (provider) {
   const originalGetOAuth1AccessToken = oauth1Client.getOAuthAccessToken.bind(oauth1Client)
   oauth1Client.getOAuthAccessToken = (...args) => {
     return new Promise((resolve, reject) => {
-      originalGetOAuth1AccessToken(...args, (error, accessToken, refreshToken, results) => {
+      // eslint-disable-next-line camelcase
+      originalGetOAuth1AccessToken(...args, (error, oauth_token, oauth_token_secret, params) => {
         if (error) {
           return reject(error)
         }
-        resolve({ accessToken, refreshToken, results })
+
+        resolve({
+          // TODO: Remove, this is only kept for backward compativility
+          // These are not in the OAuth 1.x spec
+          accessToken: oauth_token,
+          refreshToken: oauth_token_secret,
+          results: params,
+
+          oauth_token,
+          oauth_token_secret,
+          params
+        })
       })
     })
   }
 
   const originalGetOAuthRequestToken = oauth1Client.getOAuthRequestToken.bind(oauth1Client)
-  oauth1Client.getOAuthRequestToken = (...args) => {
+  oauth1Client.getOAuthRequestToken = (params = {}) => {
     return new Promise((resolve, reject) => {
-      originalGetOAuthRequestToken(...args, (error, oauthToken) => {
+      // eslint-disable-next-line camelcase
+      originalGetOAuthRequestToken(params, (error, oauth_token, oauth_token_secret, params) => {
         if (error) {
           return reject(error)
         }
-        resolve(oauthToken)
+        resolve({ oauth_token, oauth_token_secret, params })
       })
     })
   }
diff --git a/src/server/lib/signin/oauth.js b/src/server/lib/signin/oauth.js
index da37ed3a43..25e48964da 100644
--- a/src/server/lib/signin/oauth.js
+++ b/src/server/lib/signin/oauth.js
@@ -5,13 +5,17 @@ import logger from '../../../lib/logger'
 export default async function getAuthorizationUrl (req) {
   const { provider } = req.options
 
+  delete req.query?.nextauth
+  const params = {
+    ...provider.authorizationParams,
+    ...req.query
+  }
+
   const client = oAuthClient(provider)
   if (provider.version?.startsWith('2.')) {
-    delete req.query?.nextauth
     // Handle OAuth v2.x
     let url = client.getAuthorizeUrl({
-      ...provider.authorizationParams,
-      ...req.query,
+      ...params,
       redirect_uri: provider.callbackUrl,
       scope: provider.scope
     })
@@ -34,8 +38,12 @@ export default async function getAuthorizationUrl (req) {
   }
 
   try {
-    const oAuthToken = await client.getOAuthRequestToken()
-    const url = `${provider.authorizationUrl}?oauth_token=${oAuthToken}`
+    const tokens = await client.getOAuthRequestToken(params)
+    const url = `${provider.authorizationUrl}?${new URLSearchParams({
+      oauth_token: tokens.oauth_token,
+      oauth_token_secret: tokens.oauth_token_secret,
+      ...tokens.params
+    })}`
     logger.debug('GET_AUTHORIZATION_URL', url)
     return url
   } catch (error) {