Requesting access token in DocuSign - Node.js

Question

I am following this documentation: https://account-d.docusign.com/oauth/token

I am trying the following for the callback API:

router.get('/authGrantReturn', function(req, res){
    let query = req.query; 

    console.log("code: " + req.query.code);
    console.log("status: " + req.query.state);
    console.log("in authGrantReturn");

        return new Promise((resolve, reject)=>{
    try{


    let bodyData = {
            grant_type: 'authorization_code',
            code: req.query.code
        };


        console.log( "========code======")
        console.log(  req.query.code)
        console.log( "========/code======")

        let combination = `${integrationKey}:${secretKey}`;
        let b64Combination = Buffer.from(combination).toString('base64');

        console.log("combination "+ combination)
        console.log("b64Combination "+ b64Combination)

   fetch('https://account-d.docusign.com/oauth/token',{
        method: 'POST',
        headers: { 'Authorization': 'Basic ' + b64Combination, 

        'Content-Type': 'application/x-www-form-urlencoded' },
       body: bodyData
   })





    /* fetch('https://account-d.docusign.com/oauth/token?grant_type:authorization_code&code='+b64Combination,{
        method: 'GET',
        headers: { 'Authorization': 'Basic ${b64Combination}', 'Content-Type': 'application/x-www-form-urlencoded',  'Content-Encoding': 'gzip'}
    }) */
    .then(function (res) {

etc....

The above is the callback function called by url that looks like this: https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id=7c2b8d7e-xxxx-xxxx-xxxx-cda8a50dd73f&state=a39fh23hnf23&redirect_uri=http://example.com/callback/

However I am getting "Bad Request" , the req.query.code is correct, I am not sure about the combination.

What am I missing?

Answer 1

I did a visual review of your code and have several comments:

Readability

I suggest that you use await instead of dealing with the promise objects explicitly. Note that your code will need to be in an async function to use await, but this is easy to do.

Sending form data via Fetch

I think your specific problem is that you're not sending the form data correctly. See this reference.

Caveat: the following code uses the FormData object. It always creates multipart/form-data requests. If this doesn't work then you can create the form-data either via the URLSearchParams object or explicitly. See the reference.

Untested code:

const bodyform = new FormData();
bodyform.append('grant_type', 'authorization_code');
bodyform.append('code', 'req.query.code');

console.log( "========code======")
console.log(  req.query.code)
console.log( "========/code======")

let combination = `${integrationKey}:${secretKey}`;
let b64Combination = Buffer.from(combination).toString('base64');

console.log("combination "+ combination);
console.log("b64Combination "+ b64Combination);

let res = await fetch('https://account-d.docusign.com/oauth/token',{
    method: 'POST',
    headers: { 'Authorization': 'Basic ' + b64Combination },
    body: bodyform
});

console.log( "========Results========"); console.log (res);

Check state

It is important to check that the state value you receive back from DocuSign is the same one you sent when you re-directed the user's browser to the DocuSign identity service. The state value prevents CSRF attacks. It must be a new nonce value--random and unguessable.

Try / catch

You should wrap the fetch call in a try/catch block. This will work correctly with await to catch errors.

Use a library

The security experts recommend that you use a library whenever you're implementing a security-related process (where libraries are commonly available).

For Node.js, the passport library is very popular and there's a passport strategy for DocuSign. See this example of using it.

See the index and the DSAuthCodeGrant supporting object which fetches the user's name, account id, API base url, etc.