graphite/Sharkey
1
0
Fork 0
mirror of https://git.joinsharkey.org/Sharkey/Sharkey.git synced 2024-09-23 02:01:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

rfc 8252

Browse source
This commit is contained in:
Kagami Sascha Rosylight 2023-06-15 22:19:05 +02:00
parent 15f859d562
commit b81e6eeff9
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
packages/backend/src/server/oauth/OAuth2ProviderService.ts
View file

@ -42,6 +42,7 @@ function validateClientId(raw: string): URL {
// https://datatracker.ietf.org/doc/html/rfc6749.html#section-3.1.2.1
// 'The redirection endpoint SHOULD require the use of TLS as described
// in Section 1.6 when the requested response type is "code" or "token"'
// TODO: Consider allowing custom URIs per RFC 8252.
const allowedProtocols = process.env.NODE_ENV === 'test' ? ['http:', 'https:'] : ['https:'];
if (!allowedProtocols.includes(url.protocol)) {
throw new AuthorizationError('client_id must be a valid HTTPS URL', 'invalid_request');
@ -318,7 +319,7 @@ export class OAuth2ProviderService {
const clientUrl = validateClientId(clientID);
// TODO: Consider allowing this for native apps (RFC 8252)
// TODO: Consider allowing localhost for native apps (RFC 8252)
// The current setup requires an explicit list of redirect_uris per
// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.1.3
// which blocks the support. But we could loose the rule in this case.