@mantiq/oauth 0.5.23 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/oauth",
-  "version": "0.5.23",
+  "version": "0.6.0",
   "description": "OAuth 2.0 server — authorization code (PKCE), client credentials, JWT access tokens, scopes",
   "type": "module",
   "license": "MIT",

package/src/grants/AuthCodeGrant.ts

@@ -34,19 +34,54 @@ export class AuthCodeGrant implements GrantHandler {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client', 401)
 
-    // Verify client secret for confidential clients
+    // Verify client secret for confidential clients.
+    // Uses bcrypt verification against the stored hash (not plaintext comparison).
     if (client.confidential()) {
-      const storedSecret = client.getAttribute('secret') as string
-      if (!clientSecret || !timingSafeEqual(clientSecret, storedSecret)) {
+      if (!clientSecret) {
         throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
       }
+      const secretValid = await client.verifySecret(clientSecret)
+      if (!secretValid) {
+        throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
+      }
+    }
+
+    // Security: validate redirect_uri against the client's registered redirect.
+    // This prevents an attacker from exchanging a stolen auth code with a
+    // different redirect_uri to intercept the tokens.
+    const allowedRedirect = client.getAttribute('redirect') as string
+    if (allowedRedirect) {
+      try {
+        const requestedUrl = new URL(redirectUri)
+        const allowedUrl = new URL(allowedRedirect)
+        if (
+          requestedUrl.origin !== allowedUrl.origin ||
+          requestedUrl.pathname !== allowedUrl.pathname ||
+          requestedUrl.search !== allowedUrl.search
+        ) {
+          throw new OAuthError('Redirect URI does not match the registered URI.', 'invalid_grant')
+        }
+      } catch (e) {
+        if (e instanceof OAuthError) throw e
+        throw new OAuthError('Invalid redirect URI format.', 'invalid_request')
+      }
     }
 
-    // Resolve auth code
-    const authCode = await AuthCode.where('id', code)
+    // Security: atomically revoke the auth code to prevent TOCTOU race conditions.
+    // A separate lookup + revoke creates a window where two concurrent requests
+    // could both read revoked=false and both exchange the same code for tokens.
+    // Instead, we UPDATE ... WHERE revoked=false and check affected rows.
+    const affected = await AuthCode.where('id', code)
       .where('revoked', false)
-      .first() as AuthCode | null
+      .update({ revoked: true })
+
+    if (!affected || affected === 0) {
+      // Code was already used, doesn't exist, or was revoked
+      throw new OAuthError('Invalid authorization code.', 'invalid_grant')
+    }
 
+    // Now load the auth code to read its attributes (already revoked atomically above)
+    const authCode = await AuthCode.find(code) as AuthCode | null
     if (!authCode) throw new OAuthError('Invalid authorization code.', 'invalid_grant')
 
     // Verify the code belongs to this client
@@ -74,10 +109,6 @@ export class AuthCodeGrant implements GrantHandler {
       }
     }
 
-    // Revoke the auth code (single use)
-    authCode.setAttribute('revoked', true)
-    await authCode.save()
-
     // Issue tokens
     const userId = authCode.getAttribute('user_id') as string
     const scopes = (authCode.getAttribute('scopes') as string[]) || []
@@ -158,20 +189,3 @@ export class AuthCodeGrant implements GrantHandler {
     throw new OAuthError(`Unsupported code challenge method: ${method}`, 'invalid_request')
   }
 }
-
-/**
- * Constant-time string comparison to prevent timing attacks on secret verification.
- */
-function timingSafeEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) return false
-
-  const encoder = new TextEncoder()
-  const bufA = encoder.encode(a)
-  const bufB = encoder.encode(b)
-
-  let result = 0
-  for (let i = 0; i < bufA.length; i++) {
-    result |= bufA[i]! ^ bufB[i]!
-  }
-  return result === 0
-}

package/src/grants/ClientCredentialsGrant.ts

@@ -30,9 +30,9 @@ export class ClientCredentialsGrant implements GrantHandler {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client', 401)
 
-    // Verify secret (constant-time comparison to prevent timing attacks)
-    const storedSecret = client.getAttribute('secret') as string
-    if (!timingSafeEqual(clientSecret, storedSecret)) {
+    // Verify secret (bcrypt verification against the stored hash)
+    const secretValid = await client.verifySecret(clientSecret)
+    if (!secretValid) {
       throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
     }
 
@@ -78,20 +78,3 @@ export class ClientCredentialsGrant implements GrantHandler {
     }
   }
 }
-
-/**
- * Constant-time string comparison to prevent timing attacks on secret verification.
- */
-function timingSafeEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) return false
-
-  const encoder = new TextEncoder()
-  const bufA = encoder.encode(a)
-  const bufB = encoder.encode(b)
-
-  let result = 0
-  for (let i = 0; i < bufA.length; i++) {
-    result |= bufA[i]! ^ bufB[i]!
-  }
-  return result === 0
-}

package/src/grants/RefreshTokenGrant.ts

@@ -32,10 +32,13 @@ export class RefreshTokenGrant implements GrantHandler {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client', 401)
 
-    // Verify secret for confidential clients (constant-time comparison to prevent timing attacks)
+    // Verify secret for confidential clients (bcrypt verification against the stored hash)
     if (client.confidential()) {
-      const storedSecret = client.getAttribute('secret') as string
-      if (!clientSecret || !timingSafeEqual(clientSecret, storedSecret)) {
+      if (!clientSecret) {
+        throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
+      }
+      const secretValid = await client.verifySecret(clientSecret)
+      if (!secretValid) {
         throw new OAuthError('Invalid client credentials.', 'invalid_client', 401)
       }
     }
@@ -128,20 +131,3 @@ export class RefreshTokenGrant implements GrantHandler {
     }
   }
 }
-
-/**
- * Constant-time string comparison to prevent timing attacks on secret verification.
- */
-function timingSafeEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) return false
-
-  const encoder = new TextEncoder()
-  const bufA = encoder.encode(a)
-  const bufB = encoder.encode(b)
-
-  let result = 0
-  for (let i = 0; i < bufA.length; i++) {
-    result |= bufA[i]! ^ bufB[i]!
-  }
-  return result === 0
-}

package/src/models/Client.ts

@@ -35,4 +35,28 @@ export class Client extends Model {
   firstParty(): boolean {
     return !!this.getAttribute('personal_access_client')
   }
+
+  /**
+   * Hash the client secret before storing it.
+   * Should be called when creating or updating the client secret.
+   *
+   * Uses Bun.password.hash with bcrypt for secure one-way hashing.
+   * The plaintext secret is returned so it can be shown to the user once.
+   */
+  static async hashSecret(plaintext: string): Promise<string> {
+    return await Bun.password.hash(plaintext, { algorithm: 'bcrypt', cost: 10 })
+  }
+
+  /**
+   * Verify a plaintext secret against the stored hash.
+   *
+   * Uses Bun.password.verify for constant-time comparison against the
+   * bcrypt hash. Returns false if the secret is empty or null.
+   */
+  async verifySecret(plaintext: string): Promise<boolean> {
+    const storedHash = this.getAttribute('secret') as string | null
+    // Security: reject if no secret is stored (public client)
+    if (!storedHash || !plaintext) return false
+    return await Bun.password.verify(plaintext, storedHash)
+  }
 }

package/src/routes/AuthorizationController.ts

@@ -31,11 +31,11 @@ export class AuthorizationController {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client')
 
-    // Validate redirect URI
+    // Security: validate redirect URI by parsing and comparing origin + pathname.
+    // Simple string comparison can be bypassed with trailing slashes, query
+    // params, or path traversal. We also require a registered redirect URI.
     const allowedRedirect = client.getAttribute('redirect') as string
-    if (allowedRedirect && redirectUri !== allowedRedirect) {
-      throw new OAuthError('Invalid redirect URI.', 'invalid_request')
-    }
+    validateRedirectUri(redirectUri, allowedRedirect)
 
     const scopes = scopeParam ? scopeParam.split(' ').filter(Boolean) : []
     const scopeDetails = scopes.map((s) => ({
@@ -78,11 +78,9 @@ export class AuthorizationController {
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client')
 
-    // Validate redirect URI matches client's registered URI (same check as GET)
+    // Security: strict redirect URI validation (origin + pathname comparison)
     const allowedRedirect = client.getAttribute('redirect') as string
-    if (allowedRedirect && redirectUri !== allowedRedirect) {
-      throw new OAuthError('Invalid redirect URI.', 'invalid_request')
-    }
+    validateRedirectUri(redirectUri, allowedRedirect)
 
     const userId = typeof user.getAuthIdentifier === 'function'
       ? user.getAuthIdentifier()
@@ -127,14 +125,12 @@ export class AuthorizationController {
     if (!clientId) throw new OAuthError('The client_id parameter is required.', 'invalid_request')
     if (!redirectUri) throw new OAuthError('The redirect_uri parameter is required.', 'invalid_request')
 
-    // Validate redirect URI against client's registered URI (same check as approve)
+    // Validate redirect URI against client's registered URI
     const client = await Client.find(clientId)
     if (!client) throw new OAuthError('Client not found.', 'invalid_client')
 
     const allowedRedirect = client.getAttribute('redirect') as string
-    if (allowedRedirect && redirectUri !== allowedRedirect) {
-      throw new OAuthError('Invalid redirect URI.', 'invalid_request')
-    }
+    validateRedirectUri(redirectUri, allowedRedirect)
 
     const url = new URL(redirectUri)
     url.searchParams.set('error', 'access_denied')
@@ -147,3 +143,55 @@ export class AuthorizationController {
     })
   }
 }
+
+/**
+ * Strictly validate a redirect URI against the client's registered redirect.
+ *
+ * Security: parses both URIs and compares origin (scheme + host + port) and
+ * pathname. This prevents bypasses via trailing slashes, query params,
+ * fragments, or path traversal that simple string matching would miss.
+ *
+ * A registered redirect URI is required — clients without one are rejected.
+ */
+function validateRedirectUri(requested: string, allowed: string): void {
+  if (!allowed) {
+    throw new OAuthError(
+      'Client has no registered redirect URI.',
+      'invalid_request',
+    )
+  }
+
+  let requestedUrl: URL
+  let allowedUrl: URL
+
+  try {
+    requestedUrl = new URL(requested)
+  } catch {
+    throw new OAuthError('Invalid redirect URI format.', 'invalid_request')
+  }
+
+  try {
+    allowedUrl = new URL(allowed)
+  } catch {
+    throw new OAuthError('Client has an invalid registered redirect URI.', 'server_error')
+  }
+
+  // Compare origin (scheme + host + port) and pathname strictly.
+  // Query params and fragments in the requested URI are rejected to
+  // prevent open-redirect attacks via appended parameters.
+  if (
+    requestedUrl.origin !== allowedUrl.origin ||
+    requestedUrl.pathname !== allowedUrl.pathname
+  ) {
+    throw new OAuthError('Invalid redirect URI.', 'invalid_request')
+  }
+
+  // Reject if the requested URI has extra query params or fragments
+  // that differ from the registered one.
+  if (requestedUrl.search !== allowedUrl.search) {
+    throw new OAuthError(
+      'Redirect URI query parameters do not match the registered URI.',
+      'invalid_request',
+    )
+  }
+}