matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-07-31 15:24:23 +03:00
Code Activity

Validate account_management_uri and account_management_actions_supported from OIDC Issuer well-known (#4074)

Browse Source 
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
Michael Telatynski
2024-02-21 14:56:11 +00:00
committed by GitHub
parent b474439256
commit c27c357688
2 changed files with 28 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/unit/oidc/validate.spec.ts
View File

@ -125,6 +125,8 @@ describe("validateOIDCIssuerWellKnown", () => {
response_types_supported: ["code"], response_types_supported: ["code"],
grant_types_supported: ["authorization_code"], grant_types_supported: ["authorization_code"],
code_challenge_methods_supported: ["S256"], code_challenge_methods_supported: ["S256"],
account_management_uri: "https://authorize.org/account",
account_management_actions_supported: ["org.matrix.cross_signing_reset"],
}; };
beforeEach(() => { beforeEach(() => {
// stub to avoid console litter // stub to avoid console litter
@ -157,6 +159,8 @@ describe("validateOIDCIssuerWellKnown", () => {
authorizationEndpoint: validWk.authorization_endpoint, authorizationEndpoint: validWk.authorization_endpoint,
tokenEndpoint: validWk.token_endpoint, tokenEndpoint: validWk.token_endpoint,
registrationEndpoint: validWk.registration_endpoint, registrationEndpoint: validWk.registration_endpoint,
accountManagementActionsSupported: ["org.matrix.cross_signing_reset"],
accountManagementEndpoint: "https://authorize.org/account",
}); });
}); });
@ -167,6 +171,8 @@ describe("validateOIDCIssuerWellKnown", () => {
authorizationEndpoint: validWk.authorization_endpoint, authorizationEndpoint: validWk.authorization_endpoint,
tokenEndpoint: validWk.token_endpoint, tokenEndpoint: validWk.token_endpoint,
registrationEndpoint: undefined, registrationEndpoint: undefined,
accountManagementActionsSupported: ["org.matrix.cross_signing_reset"],
accountManagementEndpoint: "https://authorize.org/account",
}); });
}); });
@ -186,6 +192,8 @@ describe("validateOIDCIssuerWellKnown", () => {
["code_challenge_methods_supported", undefined], ["code_challenge_methods_supported", undefined],
["code_challenge_methods_supported", "not an array"], ["code_challenge_methods_supported", "not an array"],
["code_challenge_methods_supported", ["doesnt include S256"]], ["code_challenge_methods_supported", ["doesnt include S256"]],
["account_management_uri", { not: "a string" }],
["account_management_actions_supported", { not: "an array" }],
])("should throw OP support error when %s is %s", (key, value) => { ])("should throw OP support error when %s is %s", (key, value) => {
const wk = { const wk = {
...validWk, ...validWk,

24
src/oidc/validate.ts
View File

@ -31,6 +31,8 @@ export type ValidatedIssuerConfig = {
authorizationEndpoint: string; authorizationEndpoint: string;
tokenEndpoint: string; tokenEndpoint: string;
registrationEndpoint?: string; registrationEndpoint?: string;
accountManagementEndpoint?: string;
accountManagementActionsSupported?: string[];
}; };
/** /**
@ -74,6 +76,16 @@ const optionalStringProperty = (wellKnown: Record<string, unknown>, key: string)
} }
return true; return true;
}; };
const optionalStringArrayProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {
if (
!!wellKnown[key] &&
(!Array.isArray(wellKnown[key]) || !(<unknown[]>wellKnown[key]).every((v) => typeof v === "string"))
) {
logger.error(`Invalid property: ${key}`);
return false;
}
return true;
};
const requiredArrayValue = (wellKnown: Record<string, unknown>, key: string, value: any): boolean => { const requiredArrayValue = (wellKnown: Record<string, unknown>, key: string, value: any): boolean => {
const array = wellKnown[key]; const array = wellKnown[key];
if (!array || !Array.isArray(array) || !array.includes(value)) { if (!array || !Array.isArray(array) || !array.includes(value)) {
@ -102,6 +114,8 @@ export const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuer
requiredStringProperty(wellKnown, "token_endpoint"), requiredStringProperty(wellKnown, "token_endpoint"),
requiredStringProperty(wellKnown, "revocation_endpoint"), requiredStringProperty(wellKnown, "revocation_endpoint"),
optionalStringProperty(wellKnown, "registration_endpoint"), optionalStringProperty(wellKnown, "registration_endpoint"),
optionalStringProperty(wellKnown, "account_management_uri"),
optionalStringArrayProperty(wellKnown, "account_management_actions_supported"),
requiredArrayValue(wellKnown, "response_types_supported", "code"), requiredArrayValue(wellKnown, "response_types_supported", "code"),
requiredArrayValue(wellKnown, "grant_types_supported", "authorization_code"), requiredArrayValue(wellKnown, "grant_types_supported", "authorization_code"),
requiredArrayValue(wellKnown, "code_challenge_methods_supported", "S256"), requiredArrayValue(wellKnown, "code_challenge_methods_supported", "S256"),
@ -109,10 +123,12 @@ export const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuer
if (!isInvalid) { if (!isInvalid) {
return { return {
authorizationEndpoint: wellKnown["authorization_endpoint"], authorizationEndpoint: <string>wellKnown["authorization_endpoint"],
tokenEndpoint: wellKnown["token_endpoint"], tokenEndpoint: <string>wellKnown["token_endpoint"],
registrationEndpoint: wellKnown["registration_endpoint"], registrationEndpoint: <string>wellKnown["registration_endpoint"],
} as ValidatedIssuerConfig; accountManagementEndpoint: <string>wellKnown["account_management_uri"],
accountManagementActionsSupported: <string[]>wellKnown["account_management_actions_supported"],
};
} }
logger.error("Issuer configuration not valid"); logger.error("Issuer configuration not valid");