Susan Harkins (252) [Avatar] Offline
#1
Please list errors found in the published version of OAuth 2 in Action here. We'll publish a comprehensive list if necessary for everyone's convenience. Thank you!

Susan Harkins
Errata Editor
Manning Publications
Alan (8) [Avatar] Offline
#2
3.2.2 on p.50
res.render('index', {access_token: body.access_token});
throws
ReferenceError: scope is not defined
Fix is to add scope: scope to the map:

res.render('index', {access_token: body.access_token,scope: scope});

Alan (8) [Avatar] Offline
#3
3.4 p. 54: Says trying the unedited ch-3-ex-2 client.js fetch of a resource before acquiring an access_token will display Figure 3.7 showing the 401 Error. In fact, it displays nothing because there's no code to implement this at client.js line 136. Add these lines to make it work:
        console.log("resource status error code " + resource.statusCode);
        res.render('error', {error: 'Unable to fetch resource. Status ' + resource.statusCode})
shetc (29) [Avatar] Offline
#4
Pg 81, Para 3 -- "...the user clicked the Approve or the."
shetc (29) [Avatar] Offline
#5
Chapter 5:
$ node authorizationServer.js
/tmp/oauth-in-action-code-master/exercises/ch-5-ex-2/authorizationServer.js:193
nosql.remove(function(found) { return (found == token); function(){}});
^
SyntaxError: Unexpected token (
at createScript (vm.js:53:10)
at Object.runInThisContext (vm.js:95:10)
at Module._compile (module.js:543:2smilie
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:423:7)
at startup (bootstrap_node.js:147:9)

node -v
v7.8.0
419523 (1) [Avatar] Offline
#6
p.67 (4.3.1): newer version of node (I am running 7.smilie require and explicit end() when sending the error response, e.g/

res.status(403).end();

instead of
res.status(403);

This applies to the three snippets (get/post/delete).
Alan (8) [Avatar] Offline
#7
Section 4.3.1 p. 66: Example code in book doesn't match delivered code. app.post returns
res.status(201) 
in the book and nothing in the sample code. app.delete returns
res.status(204).end()
in the book and
res.status(201).end()
in the code. Completed code matches the book.

As such, running protectedResource.js without any edits causes the client to fail to return a Success status for the Post a word and Delete a word actions and hangs after the first try.

So in this case the book is correct and the delivered code is wrong.
Alan (8) [Avatar] Offline
#8
Section 6.1.1 p. 96 at the bottom shows:
nosql.insert({ access_token: access_token, client_id: clientId, scope: rscope });
but clientId is undefined and throws ReferenceError: clientId is not defined. Correct code uses client.client_id:
nosql.insert({ access_token: access_token, client_id: client.client_id, scope: rscope });
Alan (8) [Avatar] Offline
#9
Section 7.3 page 126 strike text: ch-7-ex-0,

The example code is in ch-7-ex-1 which is cited in the next sentence.
Alan (8) [Avatar] Offline
#10
Section 7.3 page 126: "Finally, we need to plug the dynamic registration...."

Example of adding the ajax code at the bottom of the page sets no context as to where it goes and is also missing window.onload = function() {.
Had to do a diff to find out what was different.
diff  native-client/www/index.html completed/index.html native-client/www/index.html

to see that what's actually added just after var protectedResource... is
      window.onload = function() {

        if (!client.client_id) {
          $.ajax({
              url: authServer.registrationEndpoint,
              type: 'POST',
              data: client,
              crossDomain: true,
              dataType: 'json'
            }).done(function(data) {
              client.client_id = data.client_id;
              client.client_secret = data.client_secret;
            }).fail(function() {
              $('.oauth-protected-resource').text('Error while fetching registration endpoint');
            });
        }
      }
Alan (8) [Avatar] Offline
#11
Section 8.3, page 152 states, "At this point, every time you try to hit the endpoint with the browser using HTTP (not over TLS), you would notice an internal 307 redirect made from the browser.... Our test environment doesn't use TLS at all, so this header effectively makes our resource completely inaccessible."

The problem is that the expected failure does not appear to happen even though the hsts header is returned to the client.js and there is no 307 redirect happening.

ch-8-ex-3$ curl -v -H 'Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m' http://localhost:9002/helloWorld?language=en
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9002 (#0)
> GET /helloWorld?language=en HTTP/1.1
> Host: localhost:9002
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json; charset=utf-8
< Content-Length: 33
< ETag: W/"21-hCplPWa89VD+OLTVXZ7gO78UxSg"
< Date: Mon, 01 May 2017 17:37:13 GMT
< Connection: keep-alive
< 
{
    "greeting": "Hello World"
* Connection #0 to host localhost left intact
}ch-8-ex-3$ 
Alan (8) [Avatar] Offline
#12
Section 10.4.1 p. 178:

Boldface highlighting of only one line of code sample when in fact the entire piece if new code to add (and therefore no context is shown).

Also, even when the PKCE changes are correctly implemented, the protectedResource.js returns a 401 error.
109178 (1) [Avatar] Offline
#13
Page 29:
“Because OAuth governs access to APIs, which in turn gates access to your important data, it’s crucial that you do use it in a safe way by avoiding antipatterns and using best practices.”

Excerpt From: Justin Richer
Antonio Sanso. “OAuth 2 in Action.” iBooks.
The word gates should be something like grants.
Justin Richer (50) [Avatar] Offline
#14
shetc wrote:Chapter 5:
$ node authorizationServer.js
/tmp/oauth-in-action-code-master/exercises/ch-5-ex-2/authorizationServer.js:193
nosql.remove(function(found) { return (found == token); function(){}});
^
SyntaxError: Unexpected token (
at createScript (vm.js:53:10)
at Object.runInThisContext (vm.js:95:10)
at Module._compile (module.js:543:2smilie
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:423:7)
at startup (bootstrap_node.js:147:9)

node -v
v7.8.0


This code is correct in the book and in the exercise. I believe you've missed a closing bracket in your implementation.
Justin Richer (50) [Avatar] Offline
#15
109178 wrote:Page 29:
“Because OAuth governs access to APIs, which in turn gates access to your important data, it’s crucial that you do use it in a safe way by avoiding antipatterns and using best practices.”

Excerpt From: Justin Richer
Antonio Sanso. “OAuth 2 in Action.” iBooks.
The word gates should be something like grants.


The word choice here is intentional and correct. We mean "gates" as in "to control as with a gate", which is what the OAuth protocol is doing.
Justin Richer (50) [Avatar] Offline
#16
Alan wrote:Section 8.3, page 152 states, "At this point, every time you try to hit the endpoint with the browser using HTTP (not over TLS), you would notice an internal 307 redirect made from the browser.... Our test environment doesn't use TLS at all, so this header effectively makes our resource completely inaccessible."

The problem is that the expected failure does not appear to happen even though the hsts header is returned to the client.js and there is no 307 redirect happening.

ch-8-ex-3$ curl -v -H 'Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m' http://localhost:9002/helloWorld?language=en
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9002 (#0)
> GET /helloWorld?language=en HTTP/1.1
> Host: localhost:9002
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json; charset=utf-8
< Content-Length: 33
< ETag: W/"21-hCplPWa89VD+OLTVXZ7gO78UxSg"
< Date: Mon, 01 May 2017 17:37:13 GMT
< Connection: keep-alive
< 
{
    "greeting": "Hello World"
* Connection #0 to host localhost left intact
}ch-8-ex-3$ 


Which browser are you testing with? It's possible that it doesn't support the HSTS header functionality or has some catch for localhost. We've seen Internet Explorer do weird things, in particular.
Susan Harkins (252) [Avatar] Offline
#17
The current errata list is available at https://manning-content.s3.amazonaws.com/download/7/6c3fe1b-5fa2-49b0-8df8-61ded4a4f1c1/Richer_OAuth%202%20in%20Action_err1.html. Thanks!

Susan Harkins
Errata Editor
Manning Publications