Session data used for consent

Author: jaxoncreed

default-views/auth/consent.hbs

@@ -39,7 +39,6 @@
     <button type="submit" class="btn btn-primary" name="consent" value="true">Authorize</button>
     <button type="submit" class="btn btn-default" name="cancel" value="true">Cancel</button>
     {{> auth/auth-hidden-fields}}
-    <input type="hidden" name="web_id" id="web_id" value="{{web_id}}" />
   </form>
 </div>
 </body>

lib/requests/auth-request.js

@@ -2,7 +2,6 @@
 
 const url = require('url')
 const debug = require('./../debug').authentication
-const IDToken = require('@solid/oidc-op/src/IDToken')
 
 /**
  * Hidden form fields from the login page that must be passed through to the
@@ -11,7 +10,7 @@ const IDToken = require('@solid/oidc-op/src/IDToken')
  * @type {Array<string>}
  */
 const AUTH_QUERY_PARAMS = ['response_type', 'display', 'scope',
-  'client_id', 'redirect_uri', 'state', 'nonce', 'request', 'web_id']
+  'client_id', 'redirect_uri', 'state', 'nonce', 'request']
 
 /**
  * Base authentication request (used for login and password reset workflows).
@@ -135,11 +134,6 @@ class AuthRequest {
       extracted[p] = value
     }
 
-    // Special case because solid-auth-client does not include redirect in params
-    if (!extracted['redirect_uri'] && params.request) {
-      extracted['redirect_uri'] = IDToken.decode(params.request).payload.redirect_uri
-    }
-
     return extracted
   }
 
@@ -217,14 +211,11 @@ class AuthRequest {
     return url.format(signupUrl)
   }
 
-  consentUrl (validUser) {
+  consentUrl () {
     let host = this.accountManager.host
     let consentUrl = url.parse(url.resolve(host.serverUri, '/consent'))
 
-    consentUrl.query = {
-      ...this.authQueryParams,
-      web_id: validUser.webId
-    }
+    consentUrl.query = this.authQueryParams
 
     return url.format(consentUrl)
   }

lib/requests/consent-request.js

@@ -95,22 +95,24 @@ class ConsentRequest extends AuthRequest {
     }
 
     let request = ConsentRequest.fromParams(req, res)
+
+    // Ensure the user arrived here by logging in
+    if (!request.session.subject && request.session.subject._id) {
+      const error = new Error('User not logged in')
+      error.statusCode = 401
+      throw error
+    }
+
     const appOrigin = request.getAppOrigin()
     debug('Providing consent for app sharing')
 
     if (consented) {
-      await request.registerApp(req.app.locals.ldp, appOrigin, accessModes, request.authQueryParams.web_id)
+      await request.registerApp(req.app.locals.ldp, appOrigin, accessModes, request.session.subject._id)
     }
 
     console.log('oh no didnt update')
     // Redirect once that's all done
-    return request.authenticator.findValidUser()
-      .then(validUser => {
-        request.initUserSession(validUser)
-        request.redirectPostConsent(validUser)
-      })
-
-      .catch(error => request.error(error))
+    request.redirectPostConsent()
   }
 
   getAppOrigin () {

lib/requests/login-request.js

@@ -159,7 +159,7 @@ class LoginRequest extends AuthRequest {
   postLoginUrl (validUser) {
     // Login request is part of an app's auth flow
     if (/token|code/.test(this.authQueryParams['response_type'])) {
-      return this.consentUrl(validUser)
+      return this.consentUrl()
     // Login request is a user going to /login in browser
     } else if (validUser) {
       return this.authQueryParams['redirect_uri'] || validUser.accountUri