From c2afe12dfd479e95b6cb256c64befcee24a42d0f Mon Sep 17 00:00:00 2001 From: benjdlambert Date: Tue, 9 Sep 2025 13:50:38 +0200 Subject: [PATCH] chore: cleanup a little bit more :tada: Signed-off-by: benjdlambert Signed-off-by: benjdlambert --- ...20250909120000_oidc_client_registration.js | 9 +++++--- plugins/auth-backend/package.json | 1 + plugins/auth-backend/src/migrations.test.ts | 22 ------------------- .../src/service/OidcService.test.ts | 6 ++--- .../auth-backend/src/service/OidcService.ts | 19 ++++++++-------- yarn.lock | 10 +++++++++ 6 files changed, 29 insertions(+), 38 deletions(-) diff --git a/plugins/auth-backend/migrations/20250909120000_oidc_client_registration.js b/plugins/auth-backend/migrations/20250909120000_oidc_client_registration.js index e175c922c1..87391c3467 100644 --- a/plugins/auth-backend/migrations/20250909120000_oidc_client_registration.js +++ b/plugins/auth-backend/migrations/20250909120000_oidc_client_registration.js @@ -44,12 +44,12 @@ exports.up = async function up(knex) { .comment('The name of the client, should be human readable'); table - .text('response_types') + .text('response_types', 'longtext') .notNullable() .comment('JSON array of supported response types'); table - .text('grant_types') + .text('grant_types', 'longtext') .notNullable() .comment('JSON array of supported grant types'); @@ -82,7 +82,10 @@ exports.up = async function up(knex) { .nullable() .comment('Backstage user entity reference'); - table.text('redirect_uri').notNullable().comment('Client redirect URI'); + table + .text('redirect_uri', 'longtext') + .notNullable() + .comment('Client redirect URI'); table.text('scope').nullable().comment('Requested scopes space-separated'); diff --git a/plugins/auth-backend/package.json b/plugins/auth-backend/package.json index 0dddd935e6..9507df7fc3 100644 --- a/plugins/auth-backend/package.json +++ b/plugins/auth-backend/package.json @@ -60,6 +60,7 @@ "knex": "^3.0.0", "lodash": "^4.17.21", "luxon": "^3.0.0", + "matcher": "^4.0.0", "minimatch": "^9.0.0", "passport": "^0.7.0", "uuid": "^11.0.0" diff --git a/plugins/auth-backend/src/migrations.test.ts b/plugins/auth-backend/src/migrations.test.ts index 7cb6f982ea..df7063351a 100644 --- a/plugins/auth-backend/src/migrations.test.ts +++ b/plugins/auth-backend/src/migrations.test.ts @@ -281,28 +281,6 @@ describe('migrations', () => { }), ); - await expect( - knex - .insert({ - id: 'invalid-session', - client_id: 'non-existent-client', - redirect_uri: 'https://example.com/callback', - response_type: 'code', - expires_at: new Date(), - }) - .into('oauth_authorization_sessions'), - ).rejects.toThrow(); - - await expect( - knex - .insert({ - code: 'invalid-code', - session_id: 'non-existent-session', - expires_at: new Date(), - }) - .into('oidc_authorization_codes'), - ).rejects.toThrow(); - await knex('oauth_authorization_sessions') .where('id', 'test-session-id') .del(); diff --git a/plugins/auth-backend/src/service/OidcService.test.ts b/plugins/auth-backend/src/service/OidcService.test.ts index 328a753e4c..e4e1673397 100644 --- a/plugins/auth-backend/src/service/OidcService.test.ts +++ b/plugins/auth-backend/src/service/OidcService.test.ts @@ -244,16 +244,16 @@ describe('OidcService', () => { mocks: { config }, } = await createOidcService(databaseId); - config.getOptionalStringArray.mockReturnValue(['cursor://*']); + config.getOptionalStringArray.mockReturnValue(['cursor:*']); const client = await service.registerClient({ clientName: 'Test Client', - redirectUris: ['cursor://callback'], + redirectUris: ['cursor://callback/asd?asd=asd'], }); expect(client).toEqual( expect.objectContaining({ - redirectUris: ['cursor://callback'], + redirectUris: ['cursor://callback/asd?asd=asd'], }), ); }); diff --git a/plugins/auth-backend/src/service/OidcService.ts b/plugins/auth-backend/src/service/OidcService.ts index e8a308148a..b4c6bb122b 100644 --- a/plugins/auth-backend/src/service/OidcService.ts +++ b/plugins/auth-backend/src/service/OidcService.ts @@ -25,6 +25,7 @@ import { decodeJwt } from 'jose'; import crypto from 'crypto'; import { OidcDatabase } from '../database/OidcDatabase'; import { DateTime } from 'luxon'; +import matcher from 'matcher'; export class OidcService { private constructor( @@ -121,17 +122,15 @@ export class OidcService { const allowedRedirectUriPatterns = this.config.getOptionalStringArray( 'auth.experimentalDynamicClientRegistration.allowedRedirectUriPatterns', - ); + ) ?? ['*']; - if (allowedRedirectUriPatterns) { - for (const redirectUri of opts.redirectUris ?? []) { - if ( - !allowedRedirectUriPatterns.some(pattern => - new RegExp(pattern).test(redirectUri), - ) - ) { - throw new InputError('Invalid redirect_uri'); - } + for (const redirectUri of opts.redirectUris ?? []) { + if ( + !allowedRedirectUriPatterns.some(pattern => + matcher.isMatch(redirectUri, pattern), + ) + ) { + throw new InputError('Invalid redirect_uri'); } } diff --git a/yarn.lock b/yarn.lock index 853749b99e..5d78326d94 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4196,6 +4196,7 @@ __metadata: knex: "npm:^3.0.0" lodash: "npm:^4.17.21" luxon: "npm:^3.0.0" + matcher: "npm:^4.0.0" minimatch: "npm:^9.0.0" passport: "npm:^0.7.0" supertest: "npm:^7.0.0" @@ -37208,6 +37209,15 @@ __metadata: languageName: node linkType: hard +"matcher@npm:^4.0.0": + version: 4.0.0 + resolution: "matcher@npm:4.0.0" + dependencies: + escape-string-regexp: "npm:^4.0.0" + checksum: 10/d338aff31d8dfd3626873e43777f46b123579734d53bb8d18d64b08a822ba5e8d39f5fe2e23403258e6143aa0cbe20a15662720d825cd0d3af961d5a44230328 + languageName: node + linkType: hard + "material-ui-confirm@npm:^3.0.12": version: 3.0.18 resolution: "material-ui-confirm@npm:3.0.18"