fix: support signed logout resposne sent via POST (#140)

Artiom Ciumac · Artiom Ciumac · jakelacey2012 · web-flow · commit 5274d622b1f4 · 2023-11-17T15:53:57.000Z
Co-authored-by: Artiom Ciumac &lt;artiom.ciumac@okta.com&gt;
Co-authored-by: Jake Lacey &lt;jakewlacey@gmail.com&gt;
diff --git a/lib/utils.js b/lib/utils.js
@@ -185,11 +185,12 @@ module.exports.validateSignature = validateSignature;
 function validateSignature(req, element_type, xml, options) {
   const type = constants.ELEMENTS[element_type].PROP;
 
-  const isRequestSigned = !options.deflate ?
+  const isPostOrWithoutDeflate = (req.body && req.body[type]) || !options.deflate;
+  const isRequestSigned = isPostOrWithoutDeflate ?
     xpath.select(options.signaturePath || constants.ELEMENTS[element_type].SIGNATURE_VALIDATION_PATH, xml).length > 0 : !!req.query.Signature;
 
   if (isRequestSigned) {
-    if ((req.body && req.body[type]) || !options.deflate) {
+    if (isPostOrWithoutDeflate) {
       // HTTP-POST or HTTP-Redirect without deflate encoding
       const validationErrors = signers.validateXmlEmbeddedSignature(xml, options);
       if (validationErrors && validationErrors.length > 0) {
diff --git a/test/fixture/signed_response.js b/test/fixture/signed_response.js
diff --git a/test/utils.tests.js b/test/utils.tests.js
@@ -1,24 +1,45 @@
-const timekeeper = require('timekeeper');
-const expect = require('chai').expect;
+const timekeeper = require("timekeeper");
+const DOMParser = require("@auth0/xmldom").DOMParser;
+const expect = require("chai").expect;
 
-const utils = require('../lib/utils');
+const utils = require("../lib/utils");
 
-describe('utils', function () {
-  describe('generateInstant', function () {
-    it('should pad the millis appropriately', function () {
+const signedResponse = require("./fixture/signed_response");
+
+describe("utils", function () {
+  describe("generateInstant", function () {
+    it("should pad the millis appropriately", function () {
       timekeeper.withFreeze(0, () => {
-        expect(utils.generateInstant()).to.equal('1970-01-01T00:00:00.000Z');
+        expect(utils.generateInstant()).to.equal("1970-01-01T00:00:00.000Z");
       });
     });
   });
-  describe('generateUniqueID', function() {
-    it('should generate an ID 20 chars long', function() {
+  describe("generateUniqueID", function () {
+    it("should generate an ID 20 chars long", function () {
       expect(utils.generateUniqueID().length).to.equal(20);
     });
   });
-  describe('generateUniqueID', function() {
-    it('should generate an ID from the alphabet', function() {
-      expect('abcdef0123456789'.split('')).to.include.members(utils.generateUniqueID().split(''));
+  describe("generateUniqueID", function () {
+    it("should generate an ID from the alphabet", function () {
+      expect("abcdef0123456789".split("")).to.include.members(
+        utils.generateUniqueID().split("")
+      );
+    });
+  });
+  describe("validateSignature", function () {
+    describe("with custom signing certificate", function () {
+      it("should validate the signature correctly", function () {
+        const response = signedResponse.response;
+
+        const req = { body: { SAMLResponse: response }, query: {} };
+        const element_type = "LOGOUT_RESPONSE";
+        const xml = new DOMParser().parseFromString(signedResponse.xml);
+        const options = { signingCert: signedResponse.cert, deflate: true };
+
+        // should not throw errors
+        expect(utils.validateSignature(req, element_type, xml, options)).to.be
+          .undefined;
+      });
     });
   });
 });
