From fd9d39ac9756a65e3c844dafb03724e53884ce6b Mon Sep 17 00:00:00 2001
From: Gaming4JC <g4jc@hyperbola.info>
Date: Mon, 30 Dec 2019 10:20:58 -0500
Subject: Bug 1597933 - don't pass string constants to determine OAuth refresh
 token or not.

---
 mailnews/base/util/OAuth2.jsm | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

(limited to 'mailnews/base')

diff --git a/mailnews/base/util/OAuth2.jsm b/mailnews/base/util/OAuth2.jsm
index 8feee0e94..037333abc 100644
--- a/mailnews/base/util/OAuth2.jsm
+++ b/mailnews/base/util/OAuth2.jsm
@@ -29,9 +29,6 @@ function OAuth2(aBaseURI, aScope, aAppKey, aAppSecret) {
     this.log = Log4Moz.getConfiguredLogger("TBOAuth");
 }
 
-OAuth2.CODE_AUTHORIZATION = "authorization_code";
-OAuth2.CODE_REFRESH = "refresh_token";
-
 OAuth2.prototype = {
     consumerKey: null,
     consumerSecret: null,
@@ -53,7 +50,7 @@ OAuth2.prototype = {
         if (!aRefresh && this.accessToken) {
             aSuccess();
         } else if (this.refreshToken) {
-            this.requestAccessToken(this.refreshToken, OAuth2.CODE_REFRESH);
+          this.requestAccessToken(this.refreshToken, true);
         } else {
             if (!aWithUI) {
                 aFailure('{ "error": "auth_noui" }');
@@ -165,7 +162,7 @@ OAuth2.prototype = {
     this.log.info("OAuth2 authorization received: url=" + aURL);
     let params = new URLSearchParams(aURL.split("?", 2)[1]);
     if (params.has("code")) {
-      this.requestAccessToken(params.get("code"), OAuth2.CODE_AUTHORIZATION);
+      this.requestAccessToken(params.get("code"), false);
         } else {
           this.onAuthorizationFailed(null, aURL);
         }
@@ -175,18 +172,27 @@ OAuth2.prototype = {
         this.connectFailureCallback(aData);
     },
 
-    requestAccessToken: function requestAccessToken(aCode, aType) {
+  /**
+   * Request a new access token, or refresh an existing one.
+   * @param {string} aCode - The token issued to the client.
+   * @param {boolean} aRefresh - Whether it's a refresh of a token or not.
+   */
+  requestAccessToken(aCode, aRefresh) {
+    // @see RFC 6749 section 4.1.3. Access Token Request
+    // @see RFC 6749 section 6. Refreshing an Access Token
+
         let params = [
             ["client_id", this.consumerKey],
             ["client_secret", this.consumerSecret],
-            ["grant_type", aType],
         ];
 
-        if (aType == OAuth2.CODE_AUTHORIZATION) {
+       if (aRefresh) {
+            params.push(["grant_type", "refresh_token"]);
+            params.push(["refresh_token", aCode]);
+       } else {
+            params.push(["grant_type", "authorization_code"]);
             params.push(["code", aCode]);
             params.push(["redirect_uri", this.completionURI]);
-        } else if (aType == OAuth2.CODE_REFRESH) {
-            params.push(["refresh_token", aCode]);
         }
 
         let options = {
-- 
cgit v1.2.3