From a7e5701a8394d79fe93d28794467747a23cf9ff4 Mon Sep 17 00:00:00 2001 From: bojeil-google Date: Wed, 5 Aug 2020 10:04:43 -0700 Subject: [PATCH] fix: migrate token info API to not pass token in query string (#991) Google APIs will stop accepting requests that pass OAuth tokens on the query string from June 1, 2021. To align with security best practices, we should not pass the token in the query string when calling tokeninfo endpoint. This also follows the gcloud samples code: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token?hl=en `curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$(gcloud auth application-default print-access-token)" https://www.googleapis.com/oauth2/v1/tokeninfo` --- src/auth/oauth2client.ts | 7 +++++-- test/test.oauth2.ts | 12 +++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/auth/oauth2client.ts b/src/auth/oauth2client.ts index 01edf9fc..9719212c 100644 --- a/src/auth/oauth2client.ts +++ b/src/auth/oauth2client.ts @@ -1015,9 +1015,12 @@ export class OAuth2Client extends AuthClient { */ async getTokenInfo(accessToken: string): Promise { const {data} = await this.transporter.request({ - method: 'GET', + method: 'POST', + headers: { + 'Content-Type': 'application/x-www-form-urlencoded', + }, url: OAuth2Client.GOOGLE_TOKEN_INFO_URL, - params: {access_token: accessToken}, + data: querystring.stringify({access_token: accessToken}), }); const info = Object.assign( { diff --git a/test/test.oauth2.ts b/test/test.oauth2.ts index dffa899e..e53fbcaa 100644 --- a/test/test.oauth2.ts +++ b/test/test.oauth2.ts @@ -1323,7 +1323,17 @@ describe('oauth2', () => { }; const scope = nock(baseUrl) - .get(`/tokeninfo?access_token=${accessToken}`) + .post( + '/tokeninfo', + qs.stringify({ + access_token: accessToken, + }), + { + reqheaders: { + 'content-type': 'application/x-www-form-urlencoded', + }, + } + ) .reply(200, tokenInfo); const info = await client.getTokenInfo(accessToken);