@cloudflare/workers-oauth-provider 0.0.0-d18b865 → 0.0.0-f8eaa3e

package/dist/oauth-provider.js

@@ -876,6 +876,9 @@ var OAuthProviderImpl = class {
       if (!redirectUris || redirectUris.length === 0) {
         throw new Error("At least one redirect URI is required");
       }
+      for (const uri of redirectUris) {
+        validateRedirectUriScheme(uri);
+      }
       clientInfo = {
         clientId,
         redirectUris,
@@ -1052,7 +1055,7 @@ async function hashSecret(secret) {
   return generateTokenId(secret);
 }
 function generateRandomString(length) {
-  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
   let result = "";
   const values = new Uint8Array(length);
   crypto.getRandomValues(values);
@@ -1069,6 +1072,26 @@ async function generateTokenId(token) {
   const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
   return hashHex;
 }
+function validateRedirectUriScheme(redirectUri) {
+  const dangerousSchemes = ["javascript:", "data:", "vbscript:", "file:", "mailto:", "blob:"];
+  const normalized = redirectUri.trim();
+  for (let i = 0; i < normalized.length; i++) {
+    const code = normalized.charCodeAt(i);
+    if (code >= 0 && code <= 31 || code >= 127 && code <= 159) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+  const colonIndex = normalized.indexOf(":");
+  if (colonIndex === -1) {
+    throw new Error("Invalid redirect URI");
+  }
+  const scheme = normalized.substring(0, colonIndex + 1).toLowerCase();
+  for (const dangerousScheme of dangerousSchemes) {
+    if (scheme === dangerousScheme) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+}
 function base64UrlEncode(str) {
   return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
@@ -1221,9 +1244,7 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
-    if (!redirectUri.startsWith("http://") && !redirectUri.startsWith("https://")) {
-      throw new Error("Invalid redirect URI");
-    }
+    validateRedirectUriScheme(redirectUri);
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
     }
@@ -1266,6 +1287,16 @@ var OAuthHelpersImpl = class {
    * @returns A Promise resolving to an object containing the redirect URL
    */
   async completeAuthorization(options) {
+    const { clientId, redirectUri } = options.request;
+    if (!clientId || !redirectUri) {
+      throw new Error("Client ID and Redirect URI are required in the authorization request.");
+    }
+    const clientInfo = await this.lookupClient(clientId);
+    if (!clientInfo || !clientInfo.redirectUris.includes(redirectUri)) {
+      throw new Error(
+        "Invalid redirect URI. The redirect URI provided does not match any registered URI for this client."
+      );
+    }
     const grantId = generateRandomString(16);
     const { encryptedData, key: encryptionKey } = await encryptProps(options.props);
     const now = Math.floor(Date.now() / 1e3);
@@ -1372,6 +1403,9 @@ var OAuthHelpersImpl = class {
       registrationDate: Math.floor(Date.now() / 1e3),
       tokenEndpointAuthMethod
     };
+    for (const uri of newClient.redirectUris) {
+      validateRedirectUriScheme(uri);
+    }
     let clientSecret;
     if (!isPublicClient) {
       clientSecret = generateRandomString(32);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-d18b865",
+  "version": "0.0.0-f8eaa3e",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",