Use the POST method to validate IMS tokens (#25)

adobe · Oct 18, 2023 · af0993a · af0993a
1 parent 3118bb5
commit af0993a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 19 deletions.
diff --git a/ims/validate_token.go b/ims/validate_token.go
@@ -15,6 +15,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 )
 
 // ValidateTokenRequest is the request to ValidateToken.
@@ -41,21 +43,20 @@ func (c *Client) ValidateTokenWithContext(ctx context.Context, r *ValidateTokenR
 		return nil, fmt.Errorf("invalid token type: %v", r.Type)
 	}
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("%s/ims/validate_token/v1", c.url), nil)
+	data := url.Values{}
+
+	data.Set("type", string(r.Type))
+	data.Set("client_id", r.ClientID)
+	data.Set("token", r.Token)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("%s/ims/validate_token/v1", c.url), strings.NewReader(data.Encode()))
 	if err != nil {
 		return nil, fmt.Errorf("create request: %v", err)
 	}
 
-	query := req.URL.Query()
-
-	query.Set("type", string(r.Type))
-	query.Set("client_id", r.ClientID)
-	query.Set("token", r.Token)
-
-	req.URL.RawQuery = query.Encode()
-
 	// Header X-IMS-ClientID will be mandatory in the future
 	req.Header.Set("X-IMS-ClientId", r.ClientID)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 
 	res, err := c.do(req)
 	if err != nil {

diff --git a/ims/validate_token_test.go b/ims/validate_token_test.go
@@ -21,8 +21,8 @@ import (
 
 func TestValidateToken(t *testing.T) {
 	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Only GET accepted
-		if r.Method != http.MethodGet {
+		// Only POST accepted
+		if r.Method != http.MethodPost {
 			t.Fatalf("invalid method: %v", r.Method)
 		}
 
@@ -31,17 +31,19 @@ func TestValidateToken(t *testing.T) {
 			t.Fatalf("invalid X-IMS-ClientId header: %v", h)
 		}
 
-		clientIdParam, ok := r.URL.Query()["client_id"]
-		if !ok || clientIdParam[0] == "" {
-			t.Fatalf("missing mandatory client_id URL parameter")
+		if err := r.ParseForm(); err != nil {
+			t.Fatalf("parse form: %v", err)
 		}
 
-		// Token type URL parameter is mandatory
-		typeParam, ok := r.URL.Query()["type"]
-		if !ok || typeParam[0] == "" {
-			t.Fatalf("missing mandatory type URL parameter")
+		if v := r.PostForm.Get("client_id"); v != "test_client_id" {
+			t.Fatalf("missing client ID: %v", v)
 		}
-		var tokenType = ims.TokenType(typeParam[0])
+
+		if v := r.PostForm.Get("type"); v == "" {
+			t.Fatalf("missing type: %v", v)
+		}
+
+		var tokenType = ims.TokenType(r.PostForm.Get("type"))
 
 		switch tokenType {
 		case ims.AccessToken, ims.RefreshToken, ims.DeviceToken, ims.AuthorizationCode: