@cloudflare/workers-oauth-provider 0.7.0 → 0.7.1

package/dist/oauth-provider.d.ts

@@ -809,6 +809,18 @@ interface ClientInfo {
    * URL to the client's JSON Web Key Set for validating signatures
    */
   jwksUri?: string;
+  /**
+   * RFC 7591 §2.2 internationalized variants of the human-readable client
+   * metadata fields, keyed by the raw member name including its BCP 47 language
+   * tag (e.g. `"client_name#ja"`, `"tos_uri#fr"`).
+   *
+   * Only the human-readable fields the RFC names are captured here:
+   * `client_name`, `client_uri`, `logo_uri`, `tos_uri`, and `policy_uri`.
+   * The canonical (un-tagged) values continue to live in their own typed
+   * fields above; this map holds only the locale-specific variants so that
+   * consumers can perform their own locale selection.
+   */
+  i18n?: Record<string, string>;
   /**
    * List of email addresses for contacting the client developers
    */

package/dist/oauth-provider.js

@@ -1921,12 +1921,13 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			clientInfo = {
 				clientId,
 				redirectUris,
-				clientName: OAuthProviderImpl.validateStringField(clientMetadata.client_name),
-				logoUri: OAuthProviderImpl.validateStringField(clientMetadata.logo_uri),
-				clientUri: OAuthProviderImpl.validateStringField(clientMetadata.client_uri),
-				policyUri: OAuthProviderImpl.validateStringField(clientMetadata.policy_uri),
-				tosUri: OAuthProviderImpl.validateStringField(clientMetadata.tos_uri),
-				jwksUri: OAuthProviderImpl.validateStringField(clientMetadata.jwks_uri),
+				clientName: OAuthProviderImpl.validateStringField(clientMetadata.client_name, "client_name"),
+				logoUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.logo_uri, "logo_uri"),
+				clientUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.client_uri, "client_uri"),
+				policyUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.policy_uri, "policy_uri"),
+				tosUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.tos_uri, "tos_uri"),
+				jwksUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.jwks_uri, "jwks_uri"),
+				i18n: OAuthProviderImpl.extractI18nFields(clientMetadata),
 				contacts: OAuthProviderImpl.validateStringArray(clientMetadata.contacts),
 				grantTypes: OAuthProviderImpl.validateStringArray(clientMetadata.grant_types) || [
 					GrantType.AUTHORIZATION_CODE,
@@ -1960,6 +1961,9 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			registration_client_uri: `${this.options.clientRegistrationEndpoint}/${clientId}`,
 			client_id_issued_at: clientInfo.registrationDate
 		};
+		if (clientInfo.i18n) {
+			for (const [key, value] of Object.entries(clientInfo.i18n)) if (!(key in response)) response[key] = value;
+		}
 		if (clientSecret) {
 			response.client_secret = clientSecret;
 			response.client_secret_expires_at = this.options.clientRegistrationTTL && clientInfo.registrationDate ? clientInfo.registrationDate + this.options.clientRegistrationTTL : 0;
@@ -2203,6 +2207,70 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		return field;
 	}
 	/**
+	* Validates that a field is an optional URI string using a safe scheme.
+	*
+	* Client metadata URI fields (e.g. logo_uri, client_uri, policy_uri, tos_uri,
+	* jwks_uri) are frequently rendered into HTML attributes such as `<a href>` or
+	* `<img src>` on consent screens. Permitting non-http(s) schemes such as
+	* `javascript:` or `data:` would allow script execution in that context, so we
+	* require an absolute http: or https: URL here, matching how redirect URIs are
+	* already restricted.
+	*
+	* @param field - The field to validate
+	* @param fieldName - Name of the field for error messages
+	* @returns The validated URI string or undefined
+	* @throws Error if the field is not a string or is not an absolute http(s) URL
+	*/
+	static validateOptionalUriField(field, fieldName) {
+		const value = OAuthProviderImpl.validateStringField(field, fieldName);
+		if (value === void 0) return void 0;
+		let parsed;
+		try {
+			parsed = new URL(value);
+		} catch {
+			throw new Error(`Invalid ${fieldName}: must be an absolute http: or https: URL`);
+		}
+		if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new Error(`Invalid ${fieldName}: must be an absolute http: or https: URL`);
+		return value;
+	}
+	static {
+		this.I18N_FIELDS = {
+			client_name: "string",
+			client_uri: "uri",
+			logo_uri: "uri",
+			tos_uri: "uri",
+			policy_uri: "uri"
+		};
+	}
+	/**
+	* Extracts RFC 7591 §2.2 internationalized metadata variants from a raw
+	* registration payload.
+	*
+	* Localized variants are expressed by appending a `#<BCP 47 language tag>`
+	* suffix to a metadata member name (e.g. `client_name#ja`, `tos_uri#fr`).
+	* Only the human-readable fields the RFC names are considered; each value is
+	* validated with the same rules as its canonical field (URI fields must be
+	* absolute http(s) URLs). The raw `field#tag` keys are preserved verbatim so
+	* that consumers can do their own locale matching.
+	*
+	* @param raw - The parsed client metadata object
+	* @returns A map of `field#tag` to validated value, or undefined if none present
+	* @throws Error if a localized value fails its field's validation
+	*/
+	static extractI18nFields(raw) {
+		const result = {};
+		for (const key of Object.keys(raw)) {
+			const hashIndex = key.indexOf("#");
+			if (hashIndex <= 0 || hashIndex === key.length - 1) continue;
+			const baseField = key.slice(0, hashIndex);
+			const kind = OAuthProviderImpl.I18N_FIELDS[baseField];
+			if (!kind) continue;
+			const validated = kind === "uri" ? OAuthProviderImpl.validateOptionalUriField(raw[key], key) : OAuthProviderImpl.validateStringField(raw[key], key);
+			if (validated !== void 0) result[key] = validated;
+		}
+		return Object.keys(result).length > 0 ? result : void 0;
+	}
+	/**
 	* Validates that a field is a string array or undefined
 	* @param arr - The array to validate
 	* @param fieldName - Name of the field for error messages
@@ -2250,11 +2318,12 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 				clientId,
 				redirectUris,
 				clientName: OAuthProviderImpl.validateStringField(rawMetadata.client_name, "client_name"),
-				clientUri: OAuthProviderImpl.validateStringField(rawMetadata.client_uri, "client_uri"),
-				logoUri: OAuthProviderImpl.validateStringField(rawMetadata.logo_uri, "logo_uri"),
-				policyUri: OAuthProviderImpl.validateStringField(rawMetadata.policy_uri, "policy_uri"),
-				tosUri: OAuthProviderImpl.validateStringField(rawMetadata.tos_uri, "tos_uri"),
-				jwksUri: OAuthProviderImpl.validateStringField(rawMetadata.jwks_uri, "jwks_uri"),
+				clientUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.client_uri, "client_uri"),
+				logoUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.logo_uri, "logo_uri"),
+				policyUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.policy_uri, "policy_uri"),
+				tosUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.tos_uri, "tos_uri"),
+				jwksUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.jwks_uri, "jwks_uri"),
+				i18n: OAuthProviderImpl.extractI18nFields(rawMetadata),
 				contacts: OAuthProviderImpl.validateStringArray(rawMetadata.contacts, "contacts"),
 				grantTypes: OAuthProviderImpl.validateStringArray(rawMetadata.grant_types, "grant_types") || ["authorization_code"],
 				responseTypes: OAuthProviderImpl.validateStringArray(rawMetadata.response_types, "response_types") || ["code"],
@@ -2942,6 +3011,7 @@ var OAuthHelpersImpl = class {
 			policyUri: clientInfo.policyUri,
 			tosUri: clientInfo.tosUri,
 			jwksUri: clientInfo.jwksUri,
+			i18n: clientInfo.i18n,
 			contacts: clientInfo.contacts,
 			grantTypes: clientInfo.grantTypes || [
 				GrantType.AUTHORIZATION_CODE,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",