fix: pass ciba user code to verifier

Author: panva

lib/actions/authorization/ciba_load_account.js

@@ -51,7 +51,7 @@ export default async function cibaLoadAccount(ctx, next) {
   }
   ctx.oidc.entity('Account', account);
 
-  await ciba.verifyUserCode(ctx, account, value);
+  await ciba.verifyUserCode(ctx, account, ctx.oidc.params.user_code);
 
   return next();
 }

test/ciba/ciba.config.js

@@ -77,6 +77,15 @@ export default {
       backchannel_client_notification_endpoint: 'https://rp.example.com/ping',
       backchannel_token_delivery_mode: 'ping',
     },
+    {
+      client_id: 'client-user-code',
+      grant_types: ['urn:openid:params:grant-type:ciba', 'refresh_token'],
+      response_types: [],
+      redirect_uris: [],
+      token_endpoint_auth_method: 'none',
+      backchannel_token_delivery_mode: 'poll',
+      backchannel_user_code_parameter: true,
+    },
     {
       client_id: 'client-par-required',
       grant_types: ['urn:openid:params:grant-type:ciba', 'refresh_token'],

test/ciba/ciba.test.js

@@ -133,7 +133,7 @@ describe('features.ciba', () => {
       const route = '/backchannel';
 
       it('minimal w/ login_hint', async function () {
-        const [, [, request, account, client]] = await Promise.all([
+        const [, [, request, account, client], verifyUserCode] = await Promise.all([
           this.agent.post(route)
             .send({
               scope: 'openid',
@@ -166,6 +166,7 @@ describe('features.ciba', () => {
         expect(request.params).to.deep.eql({
           client_id: 'client', login_hint: 'accountId', scope: 'openid', extra2: 'defaulted', extra: 'provided',
         });
+        expect(verifyUserCode[2]).to.be.undefined;
       });
 
       it('does not require PAR for clients with require_pushed_authorization_requests', async function () {
@@ -183,6 +184,24 @@ describe('features.ciba', () => {
           });
       });
 
+      it('passes user_code to verifyUserCode', async function () {
+        const [, verifyUserCode] = await Promise.all([
+          this.agent.post(route)
+            .send({
+              scope: 'openid',
+              login_hint: 'accountId',
+              user_code: '1234',
+              client_id: 'client-user-code',
+            })
+            .type('form')
+            .expect(200)
+            .expect('content-type', /application\/json/),
+          once(emitter, 'verifyUserCode'),
+        ]);
+
+        expect(verifyUserCode[2]).to.equal('1234');
+      });
+
       it('requested_expiry', async function () {
         await this.agent.post(route)
           .send({