boxyhq · deepakprabhakara · Feb 3, 2024 · Feb 3, 2024
diff --git a/lib/request.ts b/lib/request.ts
@@ -72,7 +72,7 @@
 };

 // Parse XML
 const parseXML = (xml: string): Promise<Record<string, any>> => {
  return new Promise((resolve, reject) => {
    xml2js.parseString(
      xml,
@@ -80,7 +80,7 @@
        tagNameProcessors: [xml2js.processors.stripPrefix],
        strict: true,
      },
      (err: Error | null, result: any) => {
        if (err) {
          reject(err);
        }
@@ -99,11 +99,8 @@
 };
 
 // Parse SAMLRequest attributes
-const parseSAMLRequest = async (request: string, isPost = true) => {
-  // if the request is a POST, it will be not be deflated
-  const decodedRequest = await decodeBase64(request, !isPost);
-
-  const result = await parseXML(decodedRequest);
+const parseSAMLRequest = async (rawRequest: string, isPost = true) => {
+  const result = await parseXML(rawRequest);
 
   const attributes = result['AuthnRequest']['$'];
   const issuer = result['AuthnRequest']['Issuer'];
@@ -112,6 +109,10 @@
     ? result['AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
     : null;
 
+  if (!issuer) {
+    throw new Error("Missing 'Issuer' in SAML Request.");
+  }
+
   if (!publicKey && isPost) {
     throw new Error('Missing signature');
   }
@@ -122,8 +123,7 @@
     providerName: attributes.ProviderName,
     audience: issuer[0]['_'] ?? issuer[0], // also known as entityID
     publicKey,
-    decodedRequest,
   };
 };
 
-export { request, parseSAMLRequest };
+export { request, parseSAMLRequest, decodeBase64 };
diff --git a/test/lib/request.spec.ts b/test/lib/request.spec.ts
@@ -1,6 +1,6 @@
 import assert from 'assert';
 import fs from 'fs';
-import { parseSAMLRequest, request } from '../../lib/request';
+import { decodeBase64, parseSAMLRequest, request } from '../../lib/request';
 
 const request1 = fs.readFileSync('./test/assets/request1.xml').toString();
 const request2 = fs.readFileSync('./test/assets/request2.xml').toString();
@@ -30,30 +30,30 @@ describe('request.ts', function () {
   });
 
   it('parseSAMLRequest sample 1 ok', async function () {
-    const res1 = await parseSAMLRequest(request1, false);
+    const decodedRequest1 = await decodeBase64(request1, true);
+    const res1 = await parseSAMLRequest(decodedRequest1, false);
     assert.strictEqual(res1.id, 'id-6888523066678369812_-1');
     assert.strictEqual(res1.acsUrl, 'https://test1.snowflakecomputing.com/fed/login');
     assert.strictEqual(res1.audience, 'https://test1.snowflakecomputing.com');
     assert.strictEqual(res1.publicKey, null);
-    assert(res1.decodedRequest);
   });
 
   it('parseSAMLRequest sample 2 ok', async function () {
-    const res2 = await parseSAMLRequest(request2, false);
+    const decodedRequest2 = await decodeBase64(request2, true);
+    const res2 = await parseSAMLRequest(decodedRequest2, false);
     assert.strictEqual(res2.id, '_aa4df01f-3911-4de7-ae9a-a793a7f6c12c');
     assert.strictEqual(res2.acsUrl, undefined);
     assert.strictEqual(res2.audience, 'https://fivetran.com');
     assert.strictEqual(res2.publicKey, null);
-    assert(res2.decodedRequest);
   });
 
   it('parseSAMLRequest sample 3 ok', async function () {
-    const res3 = await parseSAMLRequest(request3, false);
+    const decodedRequest3 = await decodeBase64(request3, true);
+    const res3 = await parseSAMLRequest(decodedRequest3, false);
     assert.strictEqual(res3.id, 'ONELOGIN_c6bc2360-ea7d-45ca-b206-4220a4f5b978');
     assert.strictEqual(res3.acsUrl, 'https://iam.twilio.com/v1/Accounts/abcdef/saml2');
     assert.strictEqual(res3.audience, 'https://iam.twilio.com/v1/Accounts/abcdef/saml2/metadata');
     assert.strictEqual(res3.publicKey, null);
     assert.strictEqual(res3.providerName, 'Twilio');
-    assert(res3.decodedRequest);
   });
 });