Add back a google verification for old access_token

spec/AuthenticationAdapters.spec.js

@@ -523,12 +523,12 @@ describe('google auth adapter', () => {
   const google = require('../lib/Adapters/Auth/google');
   const jwt = require('jsonwebtoken');
 
-  it('should throw error with missing id_token', async () => {
+  it('should throw error with missing id_token or access_token', async () => {
     try {
       await google.validateAuthData({}, {});
       fail();
     } catch (e) {
-      expect(e.message).toBe('id token is invalid for this user.');
+      expect(e.message).toBe('id_token or access_token is missing for this user.');
     }
   });
 
@@ -541,20 +541,6 @@ describe('google auth adapter', () => {
     }
   });
 
-  // it('should throw error if public key used to encode token is not available', async () => {
-  //   const fakeDecodedToken = { header: { kid: '789', alg: 'RS256' } };
-  //   try {
-  //     spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
-
-  //     await google.validateAuthData({ id: 'the_user_id', id_token: 'the_token' }, {});
-  //     fail();
-  //   } catch (e) {
-  //     expect(e.message).toBe(
-  //       `Unable to find matching key for Key ID: ${fakeDecodedToken.header.kid}`
-  //     );
-  //   }
-  // });
-
   it('(using client id as string) should verify id_token', async () => {
     const fakeClaim = {
       iss: 'https://accounts.google.com',

src/Adapters/Auth/google.js

@@ -5,6 +5,7 @@
 
 const https = require('https');
 const jwt = require('jsonwebtoken');
+const httpsRequest = require('./httpsRequest');
 
 const TOKEN_ISSUER = 'accounts.google.com';
 const HTTPS_TOKEN_ISSUER = 'https://accounts.google.com';
@@ -87,7 +88,7 @@
     );
   }
 
-  if (jwtClaims.sub !== id) {
+  if (typeof id != 'undefined' && jwtClaims.sub !== id) {
     throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `auth data is invalid for this user.`);
   }
 
@@ -101,9 +102,39 @@
   return jwtClaims;
 }
 
+// Old way to validate an auth_token, only used for development purpose
+function validateAuthToken({ id, access_token }) {
+  return googleRequest('tokeninfo?access_token=' + access_token).then(response => {
+    if (response && (response.sub == id || response.user_id == id)) {
+      return;
+    }
+    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Google auth is invalid for this user.');
+  });
+}
+
 // Returns a promise that fulfills if this user id is valid.
-function validateAuthData(authData, options = {}) {
-  return verifyIdToken(authData, options);
+function validateAuthData({ id, id_token, access_token }, options) {
+  if (!id_token && !access_token) {
+    return Promise.reject(new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      `id_token or access_token is missing for this user.`
+    ));
+  }
+  // Returns a promise that fulfills if this user id is valid.
+  if (id_token) {
+    return verifyIdToken({ id, id_token }, options);
+  } else {
+    return validateAuthToken({ id, access_token }).then(
+      () => {
+        // Validation with auth token worked
+        return;
+      },
+      () => {
+        // Try with the id_token param
+        return verifyIdToken({ id, id_token: access_token }, options);
+      }
+    );
+  }
 }
 
 // Returns a promise that fulfills if this app id is valid.
@@ -169,3 +200,8 @@
   const lengthOfLengthByte = 128 + nHex.length / 2;
   return toHex(lengthOfLengthByte) + nHex;
 }
+
+// A promisey wrapper for api requests
+function googleRequest(path) {
+  return httpsRequest.get('https://www.googleapis.com/oauth2/v3/' + path);
+}