@boxyhq/saml-jackson 1.1.4 → 1.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/controller/oauth.js +10 -4
- package/dist/typings.d.ts +3 -2
- package/package.json +1 -1
package/dist/controller/oauth.js
CHANGED
|
@@ -294,7 +294,7 @@ class OAuthController {
|
|
|
294
294
|
publicKey: samlConfig.certs.publicKey,
|
|
295
295
|
});
|
|
296
296
|
const sessionId = crypto_1.default.randomBytes(16).toString('hex');
|
|
297
|
-
const requested = { client_id, state };
|
|
297
|
+
const requested = { client_id, state, redirect_uri };
|
|
298
298
|
if (requestedTenant) {
|
|
299
299
|
requested.tenant = requestedTenant;
|
|
300
300
|
}
|
|
@@ -542,8 +542,9 @@ class OAuthController {
|
|
|
542
542
|
* expires_in: 300
|
|
543
543
|
*/
|
|
544
544
|
token(body) {
|
|
545
|
+
var _a, _b, _c;
|
|
545
546
|
return __awaiter(this, void 0, void 0, function* () {
|
|
546
|
-
const { client_id, client_secret, code_verifier, code, grant_type = 'authorization_code' } = body;
|
|
547
|
+
const { client_id, client_secret, code_verifier, code, grant_type = 'authorization_code', redirect_uri, } = body;
|
|
547
548
|
metrics.increment('oauthToken');
|
|
548
549
|
if (grant_type !== 'authorization_code') {
|
|
549
550
|
throw new error_1.JacksonError('Unsupported grant_type', 400);
|
|
@@ -555,6 +556,11 @@ class OAuthController {
|
|
|
555
556
|
if (!codeVal || !codeVal.profile) {
|
|
556
557
|
throw new error_1.JacksonError('Invalid code', 403);
|
|
557
558
|
}
|
|
559
|
+
if ((_a = codeVal.requested) === null || _a === void 0 ? void 0 : _a.redirect_uri) {
|
|
560
|
+
if (redirect_uri !== codeVal.requested.redirect_uri) {
|
|
561
|
+
throw new error_1.JacksonError(`Invalid request: ${!redirect_uri ? 'redirect_uri missing' : 'redirect_uri mismatch'}`, 400);
|
|
562
|
+
}
|
|
563
|
+
}
|
|
558
564
|
if (code_verifier) {
|
|
559
565
|
// PKCE flow
|
|
560
566
|
let cv = code_verifier;
|
|
@@ -594,8 +600,8 @@ class OAuthController {
|
|
|
594
600
|
// store details against a token
|
|
595
601
|
const token = crypto_1.default.randomBytes(20).toString('hex');
|
|
596
602
|
const tokenVal = Object.assign(Object.assign({}, codeVal.profile), { requested: codeVal.requested });
|
|
597
|
-
const requestedOIDCFlow = !!codeVal.requested.oidc;
|
|
598
|
-
const requestHasNonce = !!codeVal.requested.nonce;
|
|
603
|
+
const requestedOIDCFlow = !!((_b = codeVal.requested) === null || _b === void 0 ? void 0 : _b.oidc);
|
|
604
|
+
const requestHasNonce = !!((_c = codeVal.requested) === null || _c === void 0 ? void 0 : _c.nonce);
|
|
599
605
|
if (requestedOIDCFlow) {
|
|
600
606
|
const { jwtSigningKeys, jwsAlg } = this.opts.openid;
|
|
601
607
|
if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
|
package/dist/typings.d.ts
CHANGED
|
@@ -4,8 +4,8 @@ export declare type IdPConfig = {
|
|
|
4
4
|
redirectUrl: string[] | string;
|
|
5
5
|
tenant: string;
|
|
6
6
|
product: string;
|
|
7
|
-
name
|
|
8
|
-
description
|
|
7
|
+
name?: string;
|
|
8
|
+
description?: string;
|
|
9
9
|
rawMetadata?: string;
|
|
10
10
|
encodedRawMetadata?: string;
|
|
11
11
|
};
|
|
@@ -89,6 +89,7 @@ export interface OAuthTokenReq {
|
|
|
89
89
|
code_verifier: string;
|
|
90
90
|
code: string;
|
|
91
91
|
grant_type: 'authorization_code';
|
|
92
|
+
redirect_uri?: string;
|
|
92
93
|
}
|
|
93
94
|
export interface OAuthTokenRes {
|
|
94
95
|
access_token: string;
|