chore: cleanup a little bit more 🎉

Signed-off-by: benjdlambert <ben@blam.sh>

Signed-off-by: benjdlambert <ben@blam.sh>

plugins/auth-backend/migrations/20250909120000_oidc_client_registration.js

@@ -44,12 +44,12 @@ exports.up = async function up(knex) {
       .comment('The name of the client, should be human readable');
 
     table
-      .text('response_types')
+      .text('response_types', 'longtext')
       .notNullable()
       .comment('JSON array of supported response types');
 
     table
-      .text('grant_types')
+      .text('grant_types', 'longtext')
       .notNullable()
       .comment('JSON array of supported grant types');
 
@@ -82,7 +82,10 @@ exports.up = async function up(knex) {
       .nullable()
       .comment('Backstage user entity reference');
 
-    table.text('redirect_uri').notNullable().comment('Client redirect URI');
+    table
+      .text('redirect_uri', 'longtext')
+      .notNullable()
+      .comment('Client redirect URI');
 
     table.text('scope').nullable().comment('Requested scopes space-separated');
 

plugins/auth-backend/package.json

@@ -60,6 +60,7 @@
     "knex": "^3.0.0",
     "lodash": "^4.17.21",
     "luxon": "^3.0.0",
+    "matcher": "^4.0.0",
     "minimatch": "^9.0.0",
     "passport": "^0.7.0",
     "uuid": "^11.0.0"

plugins/auth-backend/src/migrations.test.ts

@@ -281,28 +281,6 @@ describe('migrations', () => {
         }),
       );
 
-      await expect(
-        knex
-          .insert({
-            id: 'invalid-session',
-            client_id: 'non-existent-client',
-            redirect_uri: 'https://example.com/callback',
-            response_type: 'code',
-            expires_at: new Date(),
-          })
-          .into('oauth_authorization_sessions'),
-      ).rejects.toThrow();
-
-      await expect(
-        knex
-          .insert({
-            code: 'invalid-code',
-            session_id: 'non-existent-session',
-            expires_at: new Date(),
-          })
-          .into('oidc_authorization_codes'),
-      ).rejects.toThrow();
-
       await knex('oauth_authorization_sessions')
         .where('id', 'test-session-id')
         .del();

plugins/auth-backend/src/service/OidcService.test.ts

@@ -244,16 +244,16 @@ describe('OidcService', () => {
           mocks: { config },
         } = await createOidcService(databaseId);
 
-        config.getOptionalStringArray.mockReturnValue(['cursor://*']);
+        config.getOptionalStringArray.mockReturnValue(['cursor:*']);
 
         const client = await service.registerClient({
           clientName: 'Test Client',
-          redirectUris: ['cursor://callback'],
+          redirectUris: ['cursor://callback/asd?asd=asd'],
         });
 
         expect(client).toEqual(
           expect.objectContaining({
-            redirectUris: ['cursor://callback'],
+            redirectUris: ['cursor://callback/asd?asd=asd'],
           }),
         );
       });

plugins/auth-backend/src/service/OidcService.ts

@@ -25,6 +25,7 @@ import { decodeJwt } from 'jose';
 import crypto from 'crypto';
 import { OidcDatabase } from '../database/OidcDatabase';
 import { DateTime } from 'luxon';
+import matcher from 'matcher';
 
 export class OidcService {
   private constructor(
@@ -121,17 +122,15 @@ export class OidcService {
 
     const allowedRedirectUriPatterns = this.config.getOptionalStringArray(
       'auth.experimentalDynamicClientRegistration.allowedRedirectUriPatterns',
-    );
+    ) ?? ['*'];
 
-    if (allowedRedirectUriPatterns) {
-      for (const redirectUri of opts.redirectUris ?? []) {
-        if (
-          !allowedRedirectUriPatterns.some(pattern =>
-            new RegExp(pattern).test(redirectUri),
-          )
-        ) {
-          throw new InputError('Invalid redirect_uri');
-        }
+    for (const redirectUri of opts.redirectUris ?? []) {
+      if (
+        !allowedRedirectUriPatterns.some(pattern =>
+          matcher.isMatch(redirectUri, pattern),
+        )
+      ) {
+        throw new InputError('Invalid redirect_uri');
       }
     }
 

yarn.lock

@@ -4196,6 +4196,7 @@ __metadata:
     knex: "npm:^3.0.0"
     lodash: "npm:^4.17.21"
     luxon: "npm:^3.0.0"
+    matcher: "npm:^4.0.0"
     minimatch: "npm:^9.0.0"
     passport: "npm:^0.7.0"
     supertest: "npm:^7.0.0"
@@ -37208,6 +37209,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"matcher@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "matcher@npm:4.0.0"
+  dependencies:
+    escape-string-regexp: "npm:^4.0.0"
+  checksum: 10/d338aff31d8dfd3626873e43777f46b123579734d53bb8d18d64b08a822ba5e8d39f5fe2e23403258e6143aa0cbe20a15662720d825cd0d3af961d5a44230328
+  languageName: node
+  linkType: hard
+
 "material-ui-confirm@npm:^3.0.12":
   version: 3.0.18
   resolution: "material-ui-confirm@npm:3.0.18"