@better-auth/sso 1.4.7-beta.4 → 1.4.8-beta.1

package/src/oidc/discovery.test.ts

@@ -75,10 +75,13 @@ describe("OIDC Discovery", () => {
 	});
 
 	describe("validateDiscoveryUrl", () => {
+		const isTrustedOrigin = vi.fn().mockReturnValue(true);
+
 		it("should accept valid HTTPS URL", () => {
 			expect(() =>
 				validateDiscoveryUrl(
 					"https://idp.example.com/.well-known/openid-configuration",
+					isTrustedOrigin,
 				),
 			).not.toThrow();
 		});
@@ -87,28 +90,31 @@ describe("OIDC Discovery", () => {
 			expect(() =>
 				validateDiscoveryUrl(
 					"http://localhost:8080/.well-known/openid-configuration",
+					isTrustedOrigin,
 				),
 			).not.toThrow();
 		});
 
 		it("should reject invalid URL", () => {
-			expect(() => validateDiscoveryUrl("not-a-url")).toThrow(DiscoveryError);
-			expect(() => validateDiscoveryUrl("not-a-url")).toThrow(
-				"Invalid discovery URL",
+			expect(() => validateDiscoveryUrl("not-a-url", isTrustedOrigin)).toThrow(
+				DiscoveryError,
+			);
+			expect(() => validateDiscoveryUrl("not-a-url", isTrustedOrigin)).toThrow(
+				'The url "discoveryEndpoint" must be valid',
 			);
 		});
 
 		it("should reject non-HTTP protocols", () => {
-			expect(() => validateDiscoveryUrl("ftp://example.com/config")).toThrow(
-				DiscoveryError,
-			);
-			expect(() => validateDiscoveryUrl("ftp://example.com/config")).toThrow(
-				"must use HTTP or HTTPS",
-			);
+			expect(() =>
+				validateDiscoveryUrl("ftp://example.com/config", isTrustedOrigin),
+			).toThrow(DiscoveryError);
+			expect(() =>
+				validateDiscoveryUrl("ftp://example.com/config", isTrustedOrigin),
+			).toThrow("must use the http or https supported protocols");
 		});
 
 		it("should throw DiscoveryError with discovery_invalid_url code for invalid URL", () => {
-			expect(() => validateDiscoveryUrl("not-a-url")).toThrow(
+			expect(() => validateDiscoveryUrl("not-a-url", isTrustedOrigin)).toThrow(
 				expect.objectContaining({
 					code: "discovery_invalid_url",
 					details: expect.objectContaining({
@@ -119,7 +125,9 @@ describe("OIDC Discovery", () => {
 		});
 
 		it("should throw DiscoveryError with discovery_invalid_url code for non-HTTP protocol", () => {
-			expect(() => validateDiscoveryUrl("ftp://example.com/config")).toThrow(
+			expect(() =>
+				validateDiscoveryUrl("ftp://example.com/config", isTrustedOrigin),
+			).toThrow(
 				expect.objectContaining({
 					code: "discovery_invalid_url",
 					details: expect.objectContaining({
@@ -128,6 +136,22 @@ describe("OIDC Discovery", () => {
 				}),
 			);
 		});
+
+		it("should throw DiscoveryError with discovery_untrusted_origin code for untrusted origins", () => {
+			isTrustedOrigin.mockReturnValue(false);
+
+			expect(() =>
+				validateDiscoveryUrl(
+					"https://untrusted.com/.well-known/openid-configuration",
+					isTrustedOrigin,
+				),
+			).toThrow(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message: `The main discovery endpoint "https://untrusted.com/.well-known/openid-configuration" is not trusted by your trusted origins configuration.`,
+				}),
+			);
+		});
 	});
 
 	describe("validateDiscoveryDocument", () => {
@@ -314,18 +338,265 @@ describe("OIDC Discovery", () => {
 		});
 	});
 
-	describe("normalizeDiscoveryUrls (stub)", () => {
-		it("should return document unchanged in Phase 1", () => {
+	describe("normalizeDiscoveryUrls", () => {
+		const isTrustedOrigin = vi.fn().mockReturnValue(true);
+
+		it("should return the document unchanged if all urls are already absolute", () => {
 			const doc = createMockDiscoveryDocument();
-			const result = normalizeDiscoveryUrls(doc, "https://idp.example.com");
+			const result = normalizeDiscoveryUrls(
+				doc,
+				"https://idp.example.com",
+				isTrustedOrigin,
+			);
 			expect(result).toEqual(doc);
 		});
+
+		it("should resolve all required discovery urls relative to the issuer", () => {
+			const expected = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "https://idp.example.com/oauth2/authorize",
+				token_endpoint: "https://idp.example.com/oauth2/token",
+				jwks_uri: "https://idp.example.com/.well-known/jwks.json",
+			});
+			const doc = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "/oauth2/authorize",
+				token_endpoint: "/oauth2/token",
+				jwks_uri: "/.well-known/jwks.json",
+			});
+			const result = normalizeDiscoveryUrls(
+				doc,
+				"https://idp.example.com",
+				isTrustedOrigin,
+			);
+			expect(result).toEqual(expected);
+		});
+
+		it("should resolve all discovery urls relative to the issuer", () => {
+			const expected = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "https://idp.example.com/oauth2/authorize",
+				token_endpoint: "https://idp.example.com/oauth2/token",
+				jwks_uri: "https://idp.example.com/.well-known/jwks.json",
+				userinfo_endpoint: "https://idp.example.com/userinfo",
+				revocation_endpoint: "https://idp.example.com/revoke",
+			});
+			const doc = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "/oauth2/authorize",
+				token_endpoint: "/oauth2/token",
+				jwks_uri: "/.well-known/jwks.json",
+				userinfo_endpoint: "/userinfo",
+				revocation_endpoint: "/revoke",
+			});
+			const result = normalizeDiscoveryUrls(
+				doc,
+				"https://idp.example.com",
+				isTrustedOrigin,
+			);
+			expect(result).toEqual(expected);
+		});
+
+		it("should reject on invalid discovery urls", () => {
+			const doc = createMockDiscoveryDocument({
+				authorization_endpoint: "/oauth2/authorize",
+			});
+			expect(() =>
+				normalizeDiscoveryUrls(doc, "not-url", isTrustedOrigin),
+			).toThrowError('The url "authorization_endpoint" must be valid');
+		});
+
+		it("should reject with discovery_untrusted_origin code on untrusted discovery urls", () => {
+			const doc = createMockDiscoveryDocument({
+				authorization_endpoint: "/oauth2/authorize",
+				token_endpoint: "/oauth2/token",
+				jwks_uri: "/.well-known/jwks.json",
+				userinfo_endpoint: "/userinfo",
+				revocation_endpoint: "/revoke",
+				end_session_endpoint: "/endsession",
+				introspection_endpoint: "/introspection",
+			});
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/oauth2/token"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The token_endpoint "https://idp.example.com/oauth2/token" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "token_endpoint",
+						url: "https://idp.example.com/oauth2/token",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/oauth2/authorize"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The authorization_endpoint "https://idp.example.com/oauth2/authorize" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "authorization_endpoint",
+						url: "https://idp.example.com/oauth2/authorize",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/.well-known/jwks.json"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The jwks_uri "https://idp.example.com/.well-known/jwks.json" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "jwks_uri",
+						url: "https://idp.example.com/.well-known/jwks.json",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/userinfo"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The userinfo_endpoint "https://idp.example.com/userinfo" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "userinfo_endpoint",
+						url: "https://idp.example.com/userinfo",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/revoke"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The revocation_endpoint "https://idp.example.com/revoke" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "revocation_endpoint",
+						url: "https://idp.example.com/revoke",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/endsession"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The end_session_endpoint "https://idp.example.com/endsession" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "end_session_endpoint",
+						url: "https://idp.example.com/endsession",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/introspection"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The introspection_endpoint "https://idp.example.com/introspection" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "introspection_endpoint",
+						url: "https://idp.example.com/introspection",
+					},
+				}),
+			);
+		});
 	});
 
-	describe("normalizeUrl (stub)", () => {
-		it("should return endpoint unchanged in Phase 1", () => {
+	describe("normalizeUrl", () => {
+		it("should return endpoint unchanged if already absolute", () => {
 			const endpoint = "https://idp.example.com/oauth2/token";
-			expect(normalizeUrl(endpoint, "https://idp.example.com")).toBe(endpoint);
+			expect(normalizeUrl("url", endpoint, "https://idp.example.com")).toBe(
+				endpoint,
+			);
+		});
+
+		it("should return endpoint as an absolute url", () => {
+			const endpoint = "/oauth2/token";
+			expect(normalizeUrl("url", endpoint, "https://idp.example.com")).toBe(
+				"https://idp.example.com/oauth2/token",
+			);
+		});
+
+		it.each([
+			[
+				"/oauth2/token",
+				"https://idp.example.com/base",
+				"endpoint with leading slash",
+			],
+			[
+				"oauth2/token",
+				"https://idp.example.com/base",
+				"endpoint without leading slash",
+			],
+			[
+				"/oauth2/token",
+				"https://idp.example.com/base/",
+				"issuer with trailing slash",
+			],
+			["//oauth2/token", "https://idp.example.com/base//", "multiple slashes"],
+		])("should resolve relative endpoint preserving issuer base path (%s, %s) - %s", (endpoint, issuer) => {
+			expect(normalizeUrl("url", endpoint, issuer)).toBe(
+				"https://idp.example.com/base/oauth2/token",
+			);
+		});
+
+		it("should reject invalid endpoint urls", () => {
+			const endpoint = "oauth2/token";
+			const issuer = "not-a-url";
+			expect(() => normalizeUrl("url", endpoint, issuer)).toThrowError(
+				'The url "url" must be valid',
+			);
+		});
+
+		it("should reject urls with unsupported protocols", () => {
+			const endpoint = "not-a-url";
+			const issuer = "ftp://idp.example.com";
+			expect(() => normalizeUrl("url", endpoint, issuer)).toThrowError(
+				'The url "url" must use the http or https supported protocols',
+			);
 		});
 	});
 
@@ -521,6 +792,7 @@ describe("OIDC Discovery", () => {
 	describe("discoverOIDCConfig (integration)", () => {
 		const mockBetterFetch = betterFetch as ReturnType<typeof vi.fn>;
 		const issuer = "https://idp.example.com";
+		const isTrustedOrigin = vi.fn().mockReturnValue(true);
 
 		beforeEach(() => {
 			vi.clearAllMocks();
@@ -539,7 +811,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			expect(result.issuer).toBe(issuer);
 			expect(result.authorizationEndpoint).toBe(`${issuer}/oauth2/authorize`);
@@ -570,6 +842,7 @@ describe("OIDC Discovery", () => {
 					tokenEndpoint: "https://custom.example.com/token",
 					tokenEndpointAuthentication: "client_secret_post",
 				},
+				isTrustedOrigin,
 			});
 
 			expect(result.tokenEndpoint).toBe("https://custom.example.com/token");
@@ -589,6 +862,7 @@ describe("OIDC Discovery", () => {
 			const result = await discoverOIDCConfig({
 				issuer,
 				discoveryEndpoint: customEndpoint,
+				isTrustedOrigin,
 			});
 
 			expect(result.discoveryEndpoint).toBe(customEndpoint);
@@ -610,6 +884,7 @@ describe("OIDC Discovery", () => {
 				existingConfig: {
 					discoveryEndpoint: existingEndpoint,
 				},
+				isTrustedOrigin,
 			});
 
 			expect(result.discoveryEndpoint).toBe(existingEndpoint);
@@ -627,7 +902,9 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			await expect(discoverOIDCConfig({ issuer })).rejects.toThrow(
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
 				expect.objectContaining({
 					code: "issuer_mismatch",
 				}),
@@ -643,7 +920,9 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			await expect(discoverOIDCConfig({ issuer })).rejects.toThrow(
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
 				expect.objectContaining({
 					code: "discovery_incomplete",
 				}),
@@ -656,7 +935,9 @@ describe("OIDC Discovery", () => {
 				error: { status: 404, message: "Not Found" },
 			});
 
-			await expect(discoverOIDCConfig({ issuer })).rejects.toThrow(
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
 				expect.objectContaining({
 					code: "discovery_not_found",
 				}),
@@ -673,7 +954,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			expect(result.scopesSupported).toEqual(scopes);
 		});
@@ -689,7 +970,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			expect(result.issuer).toBe(issuer);
 			expect(result.authorizationEndpoint).toBe(`${issuer}/authorize`);
@@ -720,6 +1001,7 @@ describe("OIDC Discovery", () => {
 					tokenEndpointAuthentication: "client_secret_post",
 					scopesSupported: ["openid", "profile"],
 				},
+				isTrustedOrigin,
 			});
 
 			expect(result.issuer).toBe(issuer);
@@ -750,7 +1032,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 			expect(result.tokenEndpointAuthentication).toBe("client_secret_basic");
 		});
 
@@ -774,6 +1056,7 @@ describe("OIDC Discovery", () => {
 					// Only jwksEndpoint is set (simulating a legacy/partial config)
 					jwksEndpoint: "https://custom.example.com/jwks",
 				},
+				isTrustedOrigin,
 			});
 
 			// Existing value should be preserved
@@ -804,7 +1087,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			// Should successfully extract required fields
 			expect(result.issuer).toBe(issuer);
@@ -819,5 +1102,56 @@ describe("OIDC Discovery", () => {
 			// Should default auth method when not specified
 			expect(result.tokenEndpointAuthentication).toBe("client_secret_basic");
 		});
+
+		it("should throw an error with discovery_untrusted_origin code when the main discovery url is untrusted", async () => {
+			isTrustedOrigin.mockReturnValue(false);
+
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
+				expect.objectContaining({
+					name: "DiscoveryError",
+					message:
+						'The main discovery endpoint "https://idp.example.com/.well-known/openid-configuration" is not trusted by your trusted origins configuration.',
+					code: "discovery_untrusted_origin",
+					details: {
+						url: "https://idp.example.com/.well-known/openid-configuration",
+					},
+				}),
+			);
+		});
+
+		it("should throw an error with discovery_untrusted_origin code when discovered urls are untrusted", async () => {
+			isTrustedOrigin.mockImplementation((url: string) => {
+				return url.endsWith(".well-known/openid-configuration");
+			});
+
+			const discoveryDoc = createMockDiscoveryDocument({
+				issuer,
+				authorization_endpoint: `${issuer}/oauth2/authorize`,
+				token_endpoint: `${issuer}/oauth2/token`,
+				jwks_uri: `${issuer}/.well-known/jwks.json`,
+				userinfo_endpoint: `${issuer}/userinfo`,
+			});
+			mockBetterFetch.mockResolvedValueOnce({
+				data: discoveryDoc,
+				error: null,
+			});
+
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
+				expect.objectContaining({
+					name: "DiscoveryError",
+					message:
+						'The token_endpoint "https://idp.example.com/oauth2/token" is not trusted by your trusted origins configuration.',
+					code: "discovery_untrusted_origin",
+					details: {
+						endpoint: "token_endpoint",
+						url: "https://idp.example.com/oauth2/token",
+					},
+				}),
+			);
+		});
 	});
 });