validation of scope parameter in GET /authorize endpoint

ldgit · Aug 29, 2024 · 74ed401 · 74ed401
1 parent 888e86e
commit 74ed401
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/e2e/oauth2.spec.ts b/e2e/oauth2.spec.ts
@@ -240,6 +240,21 @@ const validPKCEChallenge = "B3b_JHueqI6LBp_WhuR7NfViLSgGVeXBpfpEMjoSdok";
 		invalidQueryString: `response_type=code&scope=basic-info&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S256&response_type=code`,
 		expectedError: "invalid_request",
 	},
+	{
+		description: "invalid scope",
+		invalidQueryString: `response_type=code&scope=full-info&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S256`,
+		expectedError: "invalid_scope",
+	},
+	{
+		description: "missing scope",
+		invalidQueryString: `response_type=code&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S256`,
+		expectedError: "invalid_request",
+	},
+	{
+		description: "duplicate scope",
+		invalidQueryString: `response_type=code&scope=basic-info&state=validState&code_challenge=${validPKCEChallenge}&code_challenge_method=S256&scope=basic-info`,
+		expectedError: "invalid_request",
+	},
 ].forEach(({ description, invalidQueryString, expectedError }) => {
 	test(`/authorize endpoint should redirect back with ${expectedError} error in case of ${description} (${invalidQueryString})`, async ({
 		page,

diff --git a/routes/frontend.ts b/routes/frontend.ts
@@ -206,6 +206,16 @@ export default async function frontend(fastify: FastifyInstance) {
 				return reply.redirect(newRedirectUri);
 			}
 
+			if(request.query.scope !== "basic-info") {
+				const newRedirectUri = attachErrorInformationToRedirectUri(
+					request.query.redirect_uri,
+					request.query.state,
+					!request.query.scope || typeof request.query.scope === 'object' ? "invalid_request" : "invalid_scope",
+				);
+
+				return reply.redirect(newRedirectUri);
+			}
+
 			if (!(await isUserSignedIn(request))) {
 				return reply.redirect(`/login?${querystring.stringify(request.query)}`);
 			}