src/Adapters/Auth/spotify.js

// Helper functions for accessing the Spotify API.
const httpsRequest = require('./httpsRequest');
var Parse = require('parse/node').Parse;

// Returns a promise that fulfills iff this user id is valid.
function validateAuthData(authData) {
  return request('me', authData.access_token).then(data => {
    if (data && data.id == authData.id) {
      return;
    }
    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Spotify auth is invalid for this user.');
  });
}

// Returns a promise that fulfills if this app id is valid.
async function validateAppId(appIds, authData) {
  const access_token = authData.access_token;
  if (!Array.isArray(appIds)) {
    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'appIds must be an array.');
  }
  if (!appIds.length) {
    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Spotify auth is not configured.');
  }
  const data = await request('me', access_token);
  if (!data || !appIds.includes(data.id)) {
    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Spotify auth is invalid for this user.');
  }
}

// A promisey wrapper for Spotify API requests.
function request(path, access_token) {
  return httpsRequest.get({
    host: 'api.spotify.com',
    path: '/v1/' + path,
    headers: {
      Authorization: 'Bearer ' + access_token,
    },
  });
}

module.exports = {
  validateAppId: validateAppId,
  validateAuthData: validateAuthData,
};
Spotify authentication 2016-03-28 02:07:10 -04:00			`// Helper functions for accessing the Spotify API.`
Refactor all auth adapters to reduce duplications (#4954) * Refactor all auth adapters to reduce duplications * Adds mocking and proper testing for all auth adapters * Proper testing of the google auth adapter * noit 2018-08-12 11:05:28 -04:00			`const httpsRequest = require('./httpsRequest');`
Spotify authentication 2016-03-28 02:07:10 -04:00			`var Parse = require('parse/node').Parse;`

			`// Returns a promise that fulfills iff this user id is valid.`
			`function validateAuthData(authData) {`
Use Prettier JS (#5017) * Adds prettier * Run lint before tests 2018-09-01 13:58:06 -04:00			`return request('me', authData.access_token).then(data => {`
			`if (data && data.id == authData.id) {`
			`return;`
			`}`
Fix Prettier (#7066) 2020-12-13 11:19:04 -06:00			`throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Spotify auth is invalid for this user.');`
Use Prettier JS (#5017) * Adds prettier * Run lint before tests 2018-09-01 13:58:06 -04:00			`});`
Spotify authentication 2016-03-28 02:07:10 -04:00			`}`

			`// Returns a promise that fulfills if this app id is valid.`
fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8185) 2022-09-20 22:31:19 +02:00			`async function validateAppId(appIds, authData) {`
			`const access_token = authData.access_token;`
			`if (!Array.isArray(appIds)) {`
			`throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'appIds must be an array.');`
			`}`
Spotify authentication 2016-03-28 02:07:10 -04:00			`if (!appIds.length) {`
Fix Prettier (#7066) 2020-12-13 11:19:04 -06:00			`throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Spotify auth is not configured.');`
Spotify authentication 2016-03-28 02:07:10 -04:00			`}`
fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8185) 2022-09-20 22:31:19 +02:00			`const data = await request('me', access_token);`
			`if (!data \|\| !appIds.includes(data.id)) {`
Fix Prettier (#7066) 2020-12-13 11:19:04 -06:00			`throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Spotify auth is invalid for this user.');`
fix: authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`) ([GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)) (#8185) 2022-09-20 22:31:19 +02:00			`}`
Spotify authentication 2016-03-28 02:07:10 -04:00			`}`

			`// A promisey wrapper for Spotify API requests.`
			`function request(path, access_token) {`
Refactor all auth adapters to reduce duplications (#4954) * Refactor all auth adapters to reduce duplications * Adds mocking and proper testing for all auth adapters * Proper testing of the google auth adapter * noit 2018-08-12 11:05:28 -04:00			`return httpsRequest.get({`
			`host: 'api.spotify.com',`
			`path: '/v1/' + path,`
			`headers: {`
Use Prettier JS (#5017) * Adds prettier * Run lint before tests 2018-09-01 13:58:06 -04:00			`Authorization: 'Bearer ' + access_token,`
			`},`
Spotify authentication 2016-03-28 02:07:10 -04:00			`});`
			`}`

			`module.exports = {`
			`validateAppId: validateAppId,`
Use Prettier JS (#5017) * Adds prettier * Run lint before tests 2018-09-01 13:58:06 -04:00			`validateAuthData: validateAuthData,`
Spotify authentication 2016-03-28 02:07:10 -04:00			`};`