From 472ae47e2043d09704f46f49beeba082646bc6d9 Mon Sep 17 00:00:00 2001
From: Tamlyn Rhodes <tamlyn@tamlyn.org>
Date: Wed, 11 Apr 2018 11:34:54 +0100
Subject: [PATCH] fix(auth-orcid): return JWT in URL hash instead of query

This is to keep it out of server logs since the hash doesn't get sent to the server.
---
 server/auth/orcid.js      | 2 +-
 server/auth/orcid.test.js | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/auth/orcid.js b/server/auth/orcid.js
index 471c7eb..4ec9708 100644
--- a/server/auth/orcid.js
+++ b/server/auth/orcid.js
@@ -59,7 +59,7 @@ module.exports = app => {
     }),
     (req, res) => {
       const jwt = authentication.token.create(req.user)
-      res.redirect(`/login?token=${jwt}`)
+      res.redirect(`/login#${jwt}`)
     },
   )
 }
diff --git a/server/auth/orcid.test.js b/server/auth/orcid.test.js
index bac2f1f..a1cad8b 100644
--- a/server/auth/orcid.test.js
+++ b/server/auth/orcid.test.js
@@ -13,7 +13,7 @@ const makeApp = () => {
 describe('ORCID auth', () => {
   beforeEach(() => createTables(true))
 
-  it('can log in', async () => {
+  it('exchanges code and returns JWT', async () => {
     // mock OAuth response
     nock('https://sandbox.orcid.org')
       .post('/oauth/token')
@@ -29,6 +29,6 @@ describe('ORCID auth', () => {
 
     const app = makeApp()
     const response = await app.get('/auth/orcid/callback?code=def')
-    expect(response.header.location).toMatch(/^\/login\?token/)
+    expect(response.header.location).toMatch(/^\/login#\w+/)
   })
 })
-- 
GitLab