fix(auth): Properly handle google token issuer (#6836)

arjun3396 · web-flow · commit 42f75d6d947a · 2020-07-29T09:55:59.000-05:00
* Updated TOKEN_ISSUER to 'accounts.google.com'

Hi, I was getting this issue from today morning parse-server/Adapters/Auth/google.js was expecting the TOKEN_ISSUER to be prefixed with https:// but on debugging the original value was not having the prefix, removing https:// from TOKEN_ISSUER solved this bug. This issue is introduced in 4.3.0 as in 4.2.0 it is working fine currently I have downgraded the version to 4.2.0 for it to work properly and suggesting the changes please merge this PR.

* Update google.js

* Update AuthenticationAdapters.spec.js

* Update google.js

* Update google.js
diff --git a/spec/AuthenticationAdapters.spec.js b/spec/AuthenticationAdapters.spec.js
@@ -701,7 +701,7 @@ describe('google auth adapter', () => {
       fail();
     } catch (e) {
       expect(e.message).toBe(
-        'id token not issued by correct provider - expected: https://accounts.google.com | from: https://not.google.com'
+        'id token not issued by correct provider - expected: accounts.google.com or https://accounts.google.com | from: https://not.google.com'
       );
     }
   });
diff --git a/src/Adapters/Auth/google.js b/src/Adapters/Auth/google.js
@@ -6,7 +6,8 @@ var Parse = require('parse/node').Parse;
 const https = require('https');
 const jwt = require('jsonwebtoken');
 
-const TOKEN_ISSUER = 'https://accounts.google.com';
+const TOKEN_ISSUER = 'accounts.google.com';
+const HTTPS_TOKEN_ISSUER = 'https://accounts.google.com';
 
 let cache = {};
 
@@ -67,8 +68,8 @@ async function verifyIdToken({id_token: token, id}, {clientId}) {
     throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `${message}`);
   }
 
-  if (jwtClaims.iss !== TOKEN_ISSUER) {
-    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token not issued by correct provider - expected: ${TOKEN_ISSUER} | from: ${jwtClaims.iss}`);
+  if (jwtClaims.iss !== TOKEN_ISSUER && jwtClaims.iss !== HTTPS_TOKEN_ISSUER) {
+    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token not issued by correct provider - expected: ${TOKEN_ISSUER} or ${HTTPS_TOKEN_ISSUER} | from: ${jwtClaims.iss}`);
   }
 
   if (jwtClaims.sub !== id) {

Original file line number	Diff line number	Diff line change
`@@ -701,7 +701,7 @@ describe('google auth adapter', () => {`
`701`	`701`	`fail();`
`702`	`702`	`} catch (e) {`
`703`	`703`	`expect(e.message).toBe(`
`704`		`- 'id token not issued by correct provider - expected: https://accounts.google.com \| from: https://not.google.com'`
	`704`	`+ 'id token not issued by correct provider - expected: accounts.google.com or https://accounts.google.com \| from: https://not.google.com'`
`705`	`705`	`);`
`706`	`706`	`}`
`707`	`707`	`});`