Skip to content

Commit f43ddfd

Browse files
paulrobertlloydpaulrobertlloyd
committed
fix(endpoint-auth): iss in authorization response should match issuer provided by metadata endpoint
1 parent 372dd35 commit f43ddfd

File tree

3 files changed

+11
-5
lines changed

3 files changed

+11
-5
lines changed

packages/endpoint-auth/lib/controllers/consent.js

+3-1
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,8 @@ export const consentController = {
4747
* @see {@link https://indieauth.spec.indieweb.org/#authorization-response}
4848
*/
4949
post(request, response) {
50+
const { application } = request.app.locals;
51+
5052
let scope = request.body?.scope;
5153
const {
5254
client_id,
@@ -90,7 +92,7 @@ export const consentController = {
9092
// Authorization response
9193
const redirect = new URL(redirect_uri);
9294
redirect.searchParams.set("code", code);
93-
redirect.searchParams.set("iss", client_id);
95+
redirect.searchParams.set("iss", application.url);
9496
redirect.searchParams.set("state", state);
9597

9698
// If client sent optional `me` value in initial authorization request,

packages/endpoint-auth/test/integration/200-metadata.js

+2-1
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,11 @@ describe("endpoint-auth GET /auth/metadata", () => {
1313
.get("/auth/metadata")
1414
.set("accept", "application/json");
1515
const result = response.body;
16+
const { host, protocol } = new URL(response.request.url);
1617

1718
assert.ok(result.authorization_endpoint);
1819
assert.equal(result.code_challenge_methods_supported[0], "S256");
19-
assert.ok(result.issuer);
20+
assert.equal(result.issuer, `${protocol}//${host}`);
2021
assert.equal(result.response_types_supported[0], "code");
2122
assert.ok(result.scopes_supported);
2223
assert.ok(result.service_documentation);

packages/endpoint-auth/test/integration/302-consent-submit-authenticate-with-me.js

+6-3
Original file line numberDiff line numberDiff line change
@@ -27,17 +27,20 @@ describe("endpoint-auth POST /auth/consent", () => {
2727
});
2828

2929
it("Returns 302 submitting authenticated user", async () => {
30-
const result = await request
30+
const response = await request
3131
.post("/auth/consent")
3232
.type("form")
3333
.query({ request_uri: `urn:ietf:params:oauth:request_uri:${reference}` })
3434
.send({ password: "foo" });
35+
const { host, protocol } = new URL(response.request.url);
36+
const issuer = encodeURIComponent(`${protocol}//${host}`);
3537

36-
assert.equal(result.status, 302);
38+
assert.equal(response.status, 302);
3739
assert.match(
38-
result.headers.location,
40+
response.headers.location,
3941
/code=(.*)&iss=(.*)&state=(.*)&me=(.*)/,
4042
);
43+
assert.ok(response.headers.location.includes(`iss=${issuer}`));
4144
});
4245

4346
after(() => server.close());

0 commit comments

Comments
 (0)