@cloudflare/workers-oauth-provider 0.0.12 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/oauth-provider.js +27 -3
  2. package/package.json +1 -1
package/dist/oauth-provider.js CHANGED
@@ -876,6 +876,9 @@ var OAuthProviderImpl = class {
876
876
  if (!redirectUris || redirectUris.length === 0) {
877
877
  throw new Error("At least one redirect URI is required");
878
878
  }
879
+ for (const uri of redirectUris) {
880
+ validateRedirectUriScheme(uri);
881
+ }
879
882
  clientInfo = {
880
883
  clientId,
881
884
  redirectUris,
@@ -1069,6 +1072,26 @@ async function generateTokenId(token) {
1069
1072
  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
1070
1073
  return hashHex;
1071
1074
  }
1075
+ function validateRedirectUriScheme(redirectUri) {
1076
+ const dangerousSchemes = ["javascript:", "data:", "vbscript:", "file:", "mailto:", "blob:"];
1077
+ const normalized = redirectUri.trim();
1078
+ for (let i = 0; i < normalized.length; i++) {
1079
+ const code = normalized.charCodeAt(i);
1080
+ if (code >= 0 && code <= 31 || code >= 127 && code <= 159) {
1081
+ throw new Error("Invalid redirect URI");
1082
+ }
1083
+ }
1084
+ const colonIndex = normalized.indexOf(":");
1085
+ if (colonIndex === -1) {
1086
+ throw new Error("Invalid redirect URI");
1087
+ }
1088
+ const scheme = normalized.substring(0, colonIndex + 1).toLowerCase();
1089
+ for (const dangerousScheme of dangerousSchemes) {
1090
+ if (scheme === dangerousScheme) {
1091
+ throw new Error("Invalid redirect URI");
1092
+ }
1093
+ }
1094
+ }
1072
1095
  function base64UrlEncode(str) {
1073
1096
  return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
1074
1097
  }
@@ -1221,9 +1244,7 @@ var OAuthHelpersImpl = class {
1221
1244
  const state = url.searchParams.get("state") || "";
1222
1245
  const codeChallenge = url.searchParams.get("code_challenge") || void 0;
1223
1246
  const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
1224
- if (redirectUri.startsWith("javascript:") || redirectUri.startsWith("data:") || redirectUri.startsWith("vbscript:") || redirectUri.startsWith("file:") || redirectUri.startsWith("mailto:") || redirectUri.startsWith("blob:")) {
1225
- throw new Error("Invalid redirect URI");
1226
- }
1247
+ validateRedirectUriScheme(redirectUri);
1227
1248
  if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
1228
1249
  throw new Error("The implicit grant flow is not enabled for this provider");
1229
1250
  }
@@ -1382,6 +1403,9 @@ var OAuthHelpersImpl = class {
1382
1403
  registrationDate: Math.floor(Date.now() / 1e3),
1383
1404
  tokenEndpointAuthMethod
1384
1405
  };
1406
+ for (const uri of newClient.redirectUris) {
1407
+ validateRedirectUriScheme(uri);
1408
+ }
1385
1409
  let clientSecret;
1386
1410
  if (!isPublicClient) {
1387
1411
  clientSecret = generateRandomString(32);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cloudflare/workers-oauth-provider",
3
- "version": "0.0.12",
3
+ "version": "0.0.13",
4
4
  "description": "OAuth provider for Cloudflare Workers",
5
5
  "main": "dist/oauth-provider.js",
6
6
  "types": "dist/oauth-provider.d.ts",