sync

derisen · derisen · commit d5b884609569 · 2020-11-20T09:08:03.000-08:00
diff --git a/3-Authorization-II/1-call-api/AppCreationScripts/sample.json b/3-Authorization-II/1-call-api/AppCreationScripts/sample.json
@@ -39,7 +39,7 @@
             "Mappings": [
               {
                 "key": "clientId",
-                "value": ".AppId"
+                "value": "Service.AppId"
               },
               {
                 "key": "tenantId",
@@ -52,26 +52,34 @@
             "SettingKind": "JSON",
             "SettingFile": "\\..\\WebApp\\auth.json",
             "Mappings": [
-            {
-                "key": "clientId",
-                "value": ".AppId"
-            },
-            {
-                "key": "tenantId",
-                "value": "$tenantId"
-            },
-            {
-                "key": "clientSecret",
-                "value": ".AppKey"
-            },
-            {
-                "key": "redirectUri",
-                "value": ".ReplyUrls"
-            },
-            {
-                "key": "postLogoutRedirectUri",
-                "value": ".HomePage"
-            }
+                {
+                    "key": "clientId",
+                    "value": ".AppId"
+                },
+                {
+                    "key": "tenantId",
+                    "value": "$tenantId"
+                },
+                {
+                    "key": "clientSecret",
+                    "value": ".AppKey"
+                },
+                {
+                    "key": "redirectUri",
+                    "value": ".ReplyUrls"
+                },
+                {
+                    "key": "postLogoutRedirectUri",
+                    "value": ".HomePage"
+                },
+                {
+                    "key": "endpoint",
+                    "value": "Service.HomePage"
+                },
+                {
+                    "key": "scopes",
+                    "value": "Service.Scope"
+                }
             ]
         }
     ]
diff --git a/3-Authorization-II/1-call-api/WebApp/App/routes/router.js b/3-Authorization-II/1-call-api/WebApp/App/routes/router.js
@@ -6,7 +6,7 @@ const MsalExpressMiddleware = require('../../../../../MsalNodeCommons/MsalExpres
 const auth = require('../../auth.json');
 const cache = require('../utils/cachePlugin');
 
-const msal = new MsalExpressMiddleware(auth, cache);
+const msal = new MsalExpressMiddleware(auth);
 
 // initialize router
 const router = express.Router();
diff --git a/5-Deployment/README.md b/5-Deployment/README.md
@@ -13,7 +13,7 @@
 
 ## Overview
 
-This sample demonstrates how to deploy a Node.js & Express web application coupled with a Node.js & Express web API to **Azure Cloud** using the [Azure App Service](https://docs.microsoft.com/azure/app-service/). To do so, we will use the [same code sample from Chapter 3](../3-Authorization-II/1-call-api). 
+This sample demonstrates how to deploy a Node.js & Express web application coupled with a Node.js & Express web API to **Azure Cloud** using the [Azure App Service](https://docs.microsoft.com/azure/app-service/). To do so, we will use the [same code sample from Chapter 3](../3-Authorization-II/1-call-api).
 
 > :information_source: The steps below apply similarly to B2C applications, for instance the [B2C sample from Chapter 3](../3-Authorization-II/2-call-api-b2c)
 
@@ -127,7 +127,7 @@ At this point, the only field left to update is `resources.webAPI.endpoint`. We
 2. On the **App Service** explorer section you will see an upward-facing arrow icon. Click on it publish your local files in the `WebAPI` folder to **Azure App Services**.
 3. Choose a creation option based on the operating system to which you want to deploy. in this sample, we choose **Linux**.
 4. Select a Node.js version when prompted. An **LTS** version is recommended.
-5. Type a globally unique name for your web API and press Enter. The name must be unique across all of **Azure**. (e.g. `https://msal-nodejs-webapi1.azurewebsites.net/`)
+5. Type a globally unique name for your web API and press Enter. The name must be unique across all of **Azure**. (e.g. `msal-nodejs-webapi1`)
 6. After you respond to all the prompts, **VS Code** shows the **Azure** resources that are being created for your app in its notification popup.
 7. Select **Yes** when prompted to update your configuration to run npm install on the target Linux server.
 
diff --git a/MsalNodeCommons/CryptoUtilities.js b/MsalNodeCommons/CryptoUtilities.js
@@ -7,7 +7,7 @@ const { v4: uuidv4 } = require('uuid');
 
 /**
  * Basic cryptography methods for generating GUIDs and encoding state. 
- * Credits: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node/src/crypto
+ * Source: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node/src/crypto
  */
 class CryptoUtilities {
 
diff --git a/MsalNodeCommons/MsalExpressMiddleware.js b/MsalNodeCommons/MsalExpressMiddleware.js
@@ -82,7 +82,7 @@ class MsalExpressMiddleware {
             auth: {
                 clientId: config.credentials.clientId,
                 authority: config.hasOwnProperty('policies') ? config.policies.signUpSignIn.authority : constants.AuthorityStrings.AAD + config.credentials.tenantId, // single organization
-                clientSecret: config.credentials.hasOwnProperty('clientSecret') ? config.credentials.clientSecret : "",
+                clientSecret: config.credentials.clientSecret,
                 redirectUri: config.hasOwnProperty('configuration') ? config.configuration.redirectUri : null, // defaults to calling page
                 knownAuthorities: config.hasOwnProperty('policies') ? [config.policies.authorityDomain] : [], // 
             },
@@ -154,7 +154,7 @@ class MsalExpressMiddleware {
                     stage: constants.AppStages.RESET_PASSWORD,
                     path: req.route.path,
                     rand: req.session.rand
-                }), 'null');
+                }), null);
     
             // if coming for password reset, set the authority to resetPassword
             this.getAuthCode(
@@ -224,6 +224,7 @@ class MsalExpressMiddleware {
         // check if rand matches
         if (state.rand === req.session.rand) {
             if (state.stage === constants.AppStages.SIGN_IN) {
+
                 // token request should have auth code
                 const tokenRequest = {
                     redirectUri: this.msalConfig.auth.redirectUri,
@@ -357,7 +358,6 @@ class MsalExpressMiddleware {
         // TODO: cache fail safe
         if (!account) {
             throw new Error('account not found');
-            
         }
 
         const silentRequest = {
@@ -415,15 +415,15 @@ class MsalExpressMiddleware {
                         rand: req.session.rand
                     }), null);
 
-                // initiate the first leg of auth code grant to get token
-                this.getAuthCode(
-                    this.msalConfig.auth.authority, 
-                    scopes, 
-                    state, 
-                    this.msalConfig.auth.redirectUri,
-                    req, 
-                    res
-                    );
+                    // initiate the first leg of auth code grant to get token
+                    this.getAuthCode(
+                        this.msalConfig.auth.authority, 
+                        scopes, 
+                        state, 
+                        this.msalConfig.auth.redirectUri,
+                        req, 
+                        res
+                        );
                 }
             });
     };
@@ -539,7 +539,7 @@ class MsalExpressMiddleware {
          * https://docs.microsoft.com/azure/active-directory/develop/id-tokens#validating-an-id_token
          */
         const checkAudience = idTokenClaims["aud"] === this.msalConfig.auth.clientId ? true : false;
-        const checkTimestamp = idTokenClaims["iat"] < now && idTokenClaims["exp"] > now ? true: false;
+        const checkTimestamp = idTokenClaims["iat"] <= now && idTokenClaims["exp"] >= now ? true: false;
 
         // TODO: B2C check tenant
         const checkTenant = (this.rawConfig.hasOwnProperty('policies') && idTokenClaims["tid"] === undefined) || idTokenClaims["tid"] === this.rawConfig.credentials.tenantId ? true : false;
@@ -556,7 +556,6 @@ class MsalExpressMiddleware {
         const now = Math.round((new Date()).getTime() / 1000); // in UNIX format
 
         const authHeader = req.headers.authorization;
-
         const accessToken = authHeader.split(' ')[1];
         
         if (!accessToken) {
@@ -579,7 +578,7 @@ class MsalExpressMiddleware {
              * https://docs.microsoft.com/azure/active-directory/develop/access-tokens#validating-tokens
              */
             const checkIssuer = verifiedToken['iss'].includes(this.rawConfig.credentials.tenantId) ? true : false;
-            const checkTimestamp = verifiedToken["iat"] < now && verifiedToken["exp"] > now ? true : false;
+            const checkTimestamp = verifiedToken["iat"] <= now && verifiedToken["exp"] >= now ? true : false;
             const checkAudience = verifiedToken['aud'] === this.rawConfig.credentials.clientId || verifiedToken['aud'] === 'api://' + this.rawConfig.credentials.clientId ? true : false;
             const checkScope = this.rawConfig.protected.find(item => item.route === req.route.path).scopes
                 .every(scp => verifiedToken['scp'].includes(scp));
