validation of code_challenge_method parameter in GET /authorize e…

…ndpoint
ldgit · Aug 29, 2024 · 5be4a52 · 5be4a52
1 parent d08f8a9
commit 5be4a52
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/e2e/oauth2.spec.ts b/e2e/oauth2.spec.ts
@@ -272,6 +272,21 @@ const validPKCEChallenge = "B3b_JHueqI6LBp_WhuR7NfViLSgGVeXBpfpEMjoSdok";
 		invalidQueryString: `response_type=code&scope=basic-info&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S256&code_challenge=${validPKCEChallenge}`,
 		expectedError: "invalid_request",
 	},
+	{
+		description: "unsupported code_challenge_method",
+		invalidQueryString: `response_type=code&scope=basic-info&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S224`,
+		expectedError: "invalid_request",
+	},
+	{
+		description: "missing code_challenge_method",
+		invalidQueryString: `response_type=code&scope=basic-info&state=validState&code_challenge=${validPKCEChallenge}`,
+		expectedError: "invalid_request",
+	},
+	{
+		description: "duplicate code_challenge_method",
+		invalidQueryString: `response_type=code&code_challenge_method=S256&scope=basic-info&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S256`,
+		expectedError: "invalid_request",
+	},
 ].forEach(({ description, invalidQueryString, expectedError }) => {
 	test(`/authorize endpoint should redirect back with ${expectedError} error in case of ${description} (${invalidQueryString})`, async ({
 		page,

diff --git a/routes/frontend.ts b/routes/frontend.ts
@@ -228,6 +228,16 @@ export default async function frontend(fastify: FastifyInstance) {
 				return reply.redirect(newRedirectUri);
 			}
 
+			if (request.query.code_challenge_method !== "S256") {
+				const newRedirectUri = attachErrorInformationToRedirectUri(
+					request.query.redirect_uri,
+					request.query.state,
+					"invalid_request",
+				);
+
+				return reply.redirect(newRedirectUri);
+			}
+
 			if (!(await isUserSignedIn(request))) {
 				return reply.redirect(`/login?${querystring.stringify(request.query)}`);
 			}