wildcard support

Japan7 · Apr 10, 2024 · 6a616f3 · 6a616f3
1 parent 2a82159
commit 6a616f3
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 2 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -20,6 +20,8 @@
     "ioredis": "5.3.2",
     "lodash-es": "4.17.21",
     "nitropack": "2.9.6",
-    "oidc-provider": "8.4.5"
+    "oidc-provider": "8.4.5",
+    "psl": "1.9.0",
+    "wildcard": "2.0.1"
   }
 }
diff --git a/server/utils/provider.ts b/server/utils/provider.ts
@@ -1,4 +1,10 @@
 import Provider, { type Configuration } from "oidc-provider";
+import * as net from "node:net";
+import { URL } from "node:url";
+
+import wildcard from "wildcard";
+import psl from "psl";
+import { errors } from "oidc-provider";
 
 const config: Configuration = {
   adapter: RedisAdapter,
@@ -30,6 +36,41 @@ const config: Configuration = {
     keys: userConfig.oidc.cookies.keys,
   },
   expiresWithSession: () => false,
+  extraClientMetadata: {
+    // https://github.com/panva/node-oidc-provider/blob/87cd3c5c335cb30074612b405bd581c6bc76a98d/recipes/redirect_uri_wildcards.md
+    properties: ["redirect_uris"],
+    validator(ctx, key, value: string[], metadata) {
+      if (key === "redirect_uris") {
+        for (const redirectUri of value) {
+          if (redirectUri.includes("*")) {
+            const { hostname, href } = new URL(redirectUri);
+            if (href.split("*").length !== 2) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris with a wildcard may only contain a single one"
+              );
+            }
+            if (!hostname.includes("*")) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris may only have a wildcard in the hostname"
+              );
+            }
+            const test = hostname.replace("*", "test");
+            // checks that the wildcard is for a full subdomain e.g. *.panva.cz, not *suffix.panva.cz
+            if (!wildcard(hostname, test)) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris with a wildcard must only match the whole subdomain"
+              );
+            }
+            if (!psl.get(hostname.split("*.")[1])) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris with a wildcard must not match an eTLD+1 of a known public suffix domain"
+              );
+            }
+          }
+        }
+      }
+    },
+  },
   features: {
     devInteractions: { enabled: false },
   },
@@ -72,3 +113,21 @@ const config: Configuration = {
 
 export const provider = new Provider(userConfig.publicUrl, config);
 provider.proxy = true;
+
+// https://github.com/panva/node-oidc-provider/blob/87cd3c5c335cb30074612b405bd581c6bc76a98d/recipes/redirect_uri_wildcards.md
+// redirectUriAllowed on a client prototype checks whether a redirect_uri is allowed or not
+const { redirectUriAllowed } = provider.Client.prototype;
+const hasWildcardHost = (redirectUri) => {
+  const { hostname } = new URL(redirectUri);
+  return hostname.includes("*");
+};
+const wildcardMatches = (redirectUri, wildcardUri) =>
+  !!wildcard(wildcardUri, redirectUri);
+provider.Client.prototype.redirectUriAllowed =
+  function wildcardRedirectUriAllowed(redirectUri) {
+    if (!redirectUri.includes("*")) {
+      return redirectUriAllowed.call(this, redirectUri);
+    }
+    const wildcardUris = this.redirectUris.filter(hasWildcardHost);
+    return wildcardUris.some(wildcardMatches.bind(undefined, redirectUri));
+  };