|
| 1 | +import { findOAuthClient, upsertOAuthClient } from '../utils/dbMethods'; |
| 2 | +import { assertValidRedirectUri, isPrivateUseRedirectUri } from './utils'; |
| 3 | +import { normalizeClientScopes } from './flow'; |
| 4 | +import messages from './messages.json'; |
| 5 | + |
| 6 | +const CLIENT_METADATA_MAX_BYTES = 64 * 1024; |
| 7 | +const CLIENT_METADATA_FETCH_TIMEOUT_MS = 5000; |
| 8 | + |
| 9 | +type OAuthClientMetadata = { |
| 10 | + client_id: string; |
| 11 | + client_name: string; |
| 12 | + redirect_uris: string[]; |
| 13 | + client_uri?: string; |
| 14 | + logo_uri?: string; |
| 15 | + grant_types?: string[]; |
| 16 | + response_types?: string[]; |
| 17 | + scope?: string; |
| 18 | + token_endpoint_auth_method?: string; |
| 19 | +}; |
| 20 | + |
| 21 | +function oauthClientMetadataError(message: string): never { |
| 22 | + throw new Error(messages.codes.clientMetadataInvalidPrefix + message); |
| 23 | +} |
| 24 | + |
| 25 | +function isRecord(value: unknown): value is Record<string, unknown> { |
| 26 | + return !!value && typeof value === 'object' && !Array.isArray(value); |
| 27 | +} |
| 28 | + |
| 29 | +function assertStringArray(value: unknown, field: string): string[] { |
| 30 | + if ( |
| 31 | + !Array.isArray(value) || |
| 32 | + value.length === 0 || |
| 33 | + !value.every((item) => typeof item === 'string') |
| 34 | + ) { |
| 35 | + oauthClientMetadataError(field); |
| 36 | + } |
| 37 | + return value; |
| 38 | +} |
| 39 | + |
| 40 | +function assertOptionalString(value: unknown, field: string): string | null { |
| 41 | + if (value === undefined || value === null) return null; |
| 42 | + if (typeof value !== 'string') oauthClientMetadataError(field); |
| 43 | + return value; |
| 44 | +} |
| 45 | + |
| 46 | +function assertClientMetadataDocumentUrl(clientId: string): URL { |
| 47 | + let parsed: URL; |
| 48 | + try { |
| 49 | + parsed = new URL(clientId); |
| 50 | + } catch { |
| 51 | + oauthClientMetadataError('client_id_url'); |
| 52 | + } |
| 53 | + |
| 54 | + if (parsed.protocol !== 'https:') oauthClientMetadataError('client_id_scheme'); |
| 55 | + if (parsed.username || parsed.password) oauthClientMetadataError('client_id_userinfo'); |
| 56 | + if (parsed.hash) oauthClientMetadataError('client_id_fragment'); |
| 57 | + if (!parsed.pathname || parsed.pathname === '/') oauthClientMetadataError('client_id_path'); |
| 58 | + |
| 59 | + const rawPath = clientId.replace(/^[a-z][a-z0-9+.-]*:\/\/[^/?#]*/i, '').split(/[?#]/)[0]; |
| 60 | + const hasDotSegment = rawPath.split('/').some((segment) => { |
| 61 | + let decoded = segment; |
| 62 | + try { |
| 63 | + decoded = decodeURIComponent(segment); |
| 64 | + } catch { |
| 65 | + return true; |
| 66 | + } |
| 67 | + return decoded === '.' || decoded === '..'; |
| 68 | + }); |
| 69 | + if (hasDotSegment) { |
| 70 | + oauthClientMetadataError('client_id_path_segments'); |
| 71 | + } |
| 72 | + |
| 73 | + return parsed; |
| 74 | +} |
| 75 | + |
| 76 | +function isNativePublicClientId(clientId: string): boolean { |
| 77 | + if (clientId.length > 255) return false; |
| 78 | + if (clientId.includes('://')) return false; |
| 79 | + const segments = clientId.split('.'); |
| 80 | + if (segments.length < 3) return false; |
| 81 | + return segments.every((segment) => /^[A-Za-z][A-Za-z0-9-]{0,62}$/.test(segment)); |
| 82 | +} |
| 83 | + |
| 84 | +function nativeClientName(clientId: string): string { |
| 85 | + const segments = clientId.split('.'); |
| 86 | + return segments[segments.length - 1] || clientId; |
| 87 | +} |
| 88 | + |
| 89 | +function validateClientMetadata(clientId: string, raw: unknown): OAuthClientMetadata { |
| 90 | + if (!isRecord(raw)) oauthClientMetadataError('document'); |
| 91 | + if (raw.client_id !== clientId) oauthClientMetadataError('client_id_mismatch'); |
| 92 | + if (typeof raw.client_name !== 'string' || raw.client_name.trim().length === 0) { |
| 93 | + oauthClientMetadataError('client_name'); |
| 94 | + } |
| 95 | + |
| 96 | + const redirectUris = assertStringArray(raw.redirect_uris, 'redirect_uris'); |
| 97 | + redirectUris.forEach((uri) => assertValidRedirectUri(uri)); |
| 98 | + |
| 99 | + if ( |
| 100 | + raw.grant_types !== undefined && |
| 101 | + !assertStringArray(raw.grant_types, 'grant_types').includes('authorization_code') |
| 102 | + ) { |
| 103 | + oauthClientMetadataError('grant_types'); |
| 104 | + } |
| 105 | + if ( |
| 106 | + raw.response_types !== undefined && |
| 107 | + !assertStringArray(raw.response_types, 'response_types').includes('code') |
| 108 | + ) { |
| 109 | + oauthClientMetadataError('response_types'); |
| 110 | + } |
| 111 | + if (raw.token_endpoint_auth_method !== undefined && raw.token_endpoint_auth_method !== 'none') { |
| 112 | + oauthClientMetadataError('token_endpoint_auth_method'); |
| 113 | + } |
| 114 | + if (raw.scope !== undefined && typeof raw.scope !== 'string') { |
| 115 | + oauthClientMetadataError('scope'); |
| 116 | + } |
| 117 | + |
| 118 | + return { |
| 119 | + client_id: clientId, |
| 120 | + client_name: raw.client_name.trim(), |
| 121 | + redirect_uris: redirectUris, |
| 122 | + client_uri: assertOptionalString(raw.client_uri, 'client_uri') || undefined, |
| 123 | + logo_uri: assertOptionalString(raw.logo_uri, 'logo_uri') || undefined, |
| 124 | + grant_types: Array.isArray(raw.grant_types) ? (raw.grant_types as string[]) : undefined, |
| 125 | + response_types: Array.isArray(raw.response_types) |
| 126 | + ? (raw.response_types as string[]) |
| 127 | + : undefined, |
| 128 | + scope: typeof raw.scope === 'string' ? raw.scope : undefined, |
| 129 | + token_endpoint_auth_method: |
| 130 | + typeof raw.token_endpoint_auth_method === 'string' |
| 131 | + ? raw.token_endpoint_auth_method |
| 132 | + : undefined, |
| 133 | + }; |
| 134 | +} |
| 135 | + |
| 136 | +async function readClientMetadataJson(response: Response): Promise<unknown> { |
| 137 | + if (!response.ok) oauthClientMetadataError('fetch_status'); |
| 138 | + const contentLength = response.headers.get('content-length'); |
| 139 | + if (contentLength && Number(contentLength) > CLIENT_METADATA_MAX_BYTES) { |
| 140 | + oauthClientMetadataError('document_too_large'); |
| 141 | + } |
| 142 | + |
| 143 | + const bytes = await response.arrayBuffer(); |
| 144 | + if (bytes.byteLength > CLIENT_METADATA_MAX_BYTES) { |
| 145 | + oauthClientMetadataError('document_too_large'); |
| 146 | + } |
| 147 | + |
| 148 | + try { |
| 149 | + return JSON.parse(new TextDecoder().decode(bytes)); |
| 150 | + } catch { |
| 151 | + oauthClientMetadataError('json'); |
| 152 | + } |
| 153 | +} |
| 154 | + |
| 155 | +export function isClientMetadataDocumentClientId(clientId: string): boolean { |
| 156 | + try { |
| 157 | + assertClientMetadataDocumentUrl(clientId); |
| 158 | + return true; |
| 159 | + } catch { |
| 160 | + return false; |
| 161 | + } |
| 162 | +} |
| 163 | + |
| 164 | +export async function fetchOAuthClientMetadataDocument(clientId: string) { |
| 165 | + assertClientMetadataDocumentUrl(clientId); |
| 166 | + const response = await fetch(clientId, { |
| 167 | + headers: { accept: 'application/json' }, |
| 168 | + signal: AbortSignal.timeout(CLIENT_METADATA_FETCH_TIMEOUT_MS), |
| 169 | + }); |
| 170 | + return validateClientMetadata(clientId, await readClientMetadataJson(response)); |
| 171 | +} |
| 172 | + |
| 173 | +export async function resolveOAuthClient(clientId: string) { |
| 174 | + const existing = await findOAuthClient(clientId); |
| 175 | + if (existing) return existing; |
| 176 | + if (!isClientMetadataDocumentClientId(clientId)) return null; |
| 177 | + |
| 178 | + const metadata = await fetchOAuthClientMetadataDocument(clientId); |
| 179 | + return await upsertOAuthClient({ |
| 180 | + clientId: metadata.client_id, |
| 181 | + clientName: metadata.client_name, |
| 182 | + redirectUris: metadata.redirect_uris, |
| 183 | + scopes: normalizeClientScopes(metadata.scope), |
| 184 | + clientUri: metadata.client_uri || null, |
| 185 | + logoUri: metadata.logo_uri || null, |
| 186 | + }); |
| 187 | +} |
| 188 | + |
| 189 | +export async function resolveClientInitiatedOAuthClient( |
| 190 | + clientId: string, |
| 191 | + options: { redirectUri?: string } = {} |
| 192 | +) { |
| 193 | + const existing = await resolveOAuthClient(clientId); |
| 194 | + if (existing) return existing; |
| 195 | + |
| 196 | + if ( |
| 197 | + !options.redirectUri || |
| 198 | + !isNativePublicClientId(clientId) || |
| 199 | + !isPrivateUseRedirectUri(options.redirectUri) |
| 200 | + ) { |
| 201 | + return null; |
| 202 | + } |
| 203 | + |
| 204 | + assertValidRedirectUri(options.redirectUri); |
| 205 | + return await upsertOAuthClient({ |
| 206 | + clientId, |
| 207 | + clientName: nativeClientName(clientId), |
| 208 | + redirectUris: [options.redirectUri], |
| 209 | + scopes: normalizeClientScopes(undefined), |
| 210 | + clientUri: null, |
| 211 | + logoUri: null, |
| 212 | + }); |
| 213 | +} |
| 214 | + |
| 215 | +export const clientMetadataTestExports = { |
| 216 | + validateClientMetadata, |
| 217 | + assertClientMetadataDocumentUrl, |
| 218 | + isNativePublicClientId, |
| 219 | +}; |
0 commit comments