@mantiq/oauth 0.5.21 → 0.5.22

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/oauth",
-  "version": "0.5.21",
+  "version": "0.5.22",
   "description": "OAuth 2.0 server — authorization code (PKCE), client credentials, JWT access tokens, scopes",
   "type": "module",
   "license": "MIT",

package/src/grants/AuthCodeGrant.ts

@@ -36,7 +36,8 @@ export class AuthCodeGrant implements GrantHandler {
 
     // Verify client secret for confidential clients
     if (client.confidential()) {
-      if (!clientSecret || clientSecret !== client.getAttribute('secret')) {
+      const storedSecret = client.getAttribute('secret') as string
+      if (!clientSecret || !timingSafeEqual(clientSecret, storedSecret)) {
         throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
       }
     }
@@ -157,3 +158,20 @@ export class AuthCodeGrant implements GrantHandler {
     throw new OAuthError(`Unsupported code challenge method: ${method}`, 'invalid_request')
   }
 }
+
+/**
+ * Constant-time string comparison to prevent timing attacks on secret verification.
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false
+
+  const encoder = new TextEncoder()
+  const bufA = encoder.encode(a)
+  const bufB = encoder.encode(b)
+
+  let result = 0
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i]! ^ bufB[i]!
+  }
+  return result === 0
+}

package/src/grants/ClientCredentialsGrant.ts

@@ -30,8 +30,9 @@ export class ClientCredentialsGrant implements GrantHandler {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client', 401)
 
-    // Verify secret
-    if (clientSecret !== client.getAttribute('secret')) {
+    // Verify secret (constant-time comparison to prevent timing attacks)
+    const storedSecret = client.getAttribute('secret') as string
+    if (!timingSafeEqual(clientSecret, storedSecret)) {
       throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
     }
 
@@ -77,3 +78,20 @@ export class ClientCredentialsGrant implements GrantHandler {
     }
   }
 }
+
+/**
+ * Constant-time string comparison to prevent timing attacks on secret verification.
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false
+
+  const encoder = new TextEncoder()
+  const bufA = encoder.encode(a)
+  const bufB = encoder.encode(b)
+
+  let result = 0
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i]! ^ bufB[i]!
+  }
+  return result === 0
+}

package/src/grants/RefreshTokenGrant.ts

@@ -32,9 +32,10 @@ export class RefreshTokenGrant implements GrantHandler {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client', 401)
 
-    // Verify secret for confidential clients
+    // Verify secret for confidential clients (constant-time comparison to prevent timing attacks)
     if (client.confidential()) {
-      if (!clientSecret || clientSecret !== client.getAttribute('secret')) {
+      const storedSecret = client.getAttribute('secret') as string
+      if (!clientSecret || !timingSafeEqual(clientSecret, storedSecret)) {
         throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
       }
     }
@@ -127,3 +128,20 @@ export class RefreshTokenGrant implements GrantHandler {
     }
   }
 }
+
+/**
+ * Constant-time string comparison to prevent timing attacks on secret verification.
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false
+
+  const encoder = new TextEncoder()
+  const bufA = encoder.encode(a)
+  const bufB = encoder.encode(b)
+
+  let result = 0
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i]! ^ bufB[i]!
+  }
+  return result === 0
+}

package/src/routes/AuthorizationController.ts

@@ -78,6 +78,12 @@ export class AuthorizationController {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client')
 
+    // Validate redirect URI matches client's registered URI (same check as GET)
+    const allowedRedirect = client.getAttribute('redirect') as string
+    if (allowedRedirect && redirectUri !== allowedRedirect) {
+      throw new OAuthError('Invalid redirect URI.', 'invalid_request')
+    }
+
     const userId = typeof user.getAuthIdentifier === 'function'
       ? user.getAuthIdentifier()
       : user.id ?? user.getAttribute?.('id')
@@ -114,11 +120,22 @@ export class AuthorizationController {
    * Deny the authorization request.
    */
   async deny(request: MantiqRequest): Promise<Response> {
+    const clientId = await request.input('client_id') as string | undefined
     const redirectUri = await request.input('redirect_uri') as string | undefined
     const state = await request.input('state') as string | undefined
 
+    if (!clientId) throw new OAuthError('The client_id parameter is required.', 'invalid_request')
     if (!redirectUri) throw new OAuthError('The redirect_uri parameter is required.', 'invalid_request')
 
+    // Validate redirect URI against client's registered URI (same check as approve)
+    const client = await Client.find(clientId)
+    if (!client) throw new OAuthError('Client not found.', 'invalid_client')
+
+    const allowedRedirect = client.getAttribute('redirect') as string
+    if (allowedRedirect && redirectUri !== allowedRedirect) {
+      throw new OAuthError('Invalid redirect URI.', 'invalid_request')
+    }
+
     const url = new URL(redirectUri)
     url.searchParams.set('error', 'access_denied')
     url.searchParams.set('error_description', 'The user denied the authorization request.')