readd wildcard support

Japan7 · Aug 25, 2024 · 8667d53 · 8667d53
1 parent c81e061
commit 8667d53
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 38 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -16,10 +16,13 @@
     "@discordjs/rest": "2.3.0",
     "@types/lodash-es": "4.17.12",
     "@types/oidc-provider": "8.5.2",
+    "@types/psl": "1.1.3",
     "discord-api-types": "0.37.97",
     "ioredis": "5.4.1",
     "lodash-es": "4.17.21",
     "nitropack": "2.9.7",
-    "oidc-provider": "8.5.1"
+    "oidc-provider": "8.5.1",
+    "psl": "1.9.0",
+    "wildcard": "2.0.1"
   }
 }
diff --git a/server/utils/provider.ts b/server/utils/provider.ts
@@ -1,4 +1,7 @@
-import Provider, { type Configuration } from "oidc-provider";
+import { URL } from "node:url";
+import Provider, { errors, type Configuration } from "oidc-provider";
+import psl from "psl";
+import wildcard from "wildcard";
 
 const config: Configuration = {
   adapter: RedisAdapter,
@@ -47,6 +50,42 @@ const config: Configuration = {
 
   expiresWithSession: () => false,
 
+  extraClientMetadata: {
+    // https://github.com/panva/node-oidc-provider/blob/87cd3c5c335cb30074612b405bd581c6bc76a98d/recipes/redirect_uri_wildcards.md
+    properties: ["redirect_uris"],
+    validator: (ctx, key, value: string[], metadata) => {
+      if (key === "redirect_uris") {
+        for (const redirectUri of value) {
+          if (redirectUri.includes("*")) {
+            const { hostname, href } = new URL(redirectUri);
+            if (href.split("*").length !== 2) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris with a wildcard may only contain a single one"
+              );
+            }
+            if (!hostname.includes("*")) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris may only have a wildcard in the hostname"
+              );
+            }
+            const test = hostname.replace("*", "test");
+            // checks that the wildcard is for a full subdomain e.g. *.panva.cz, not *suffix.panva.cz
+            if (!wildcard(hostname, test)) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris with a wildcard must only match the whole subdomain"
+              );
+            }
+            if (!psl.get(hostname.split("*.")[1])) {
+              throw new errors.InvalidClientMetadata(
+                "redirect_uris with a wildcard must not match an eTLD+1 of a known public suffix domain"
+              );
+            }
+          }
+        }
+      }
+    },
+  },
+
   pkce: {
     required: () => false,
   },
@@ -98,3 +137,20 @@ const config: Configuration = {
 
 export const provider = new Provider(userConfig.publicUrl, config);
 provider.proxy = true;
+
+// https://github.com/panva/node-oidc-provider/blob/87cd3c5c335cb30074612b405bd581c6bc76a98d/recipes/redirect_uri_wildcards.md
+// redirectUriAllowed on a client prototype checks whether a redirect_uri is allowed or not
+const { redirectUriAllowed } = provider.Client.prototype;
+const hasWildcardHost = (redirectUri: string) => {
+  const { hostname } = new URL(redirectUri);
+  return hostname.includes("*");
+};
+const wildcardMatches = (redirectUri: string, wildcardUri: string) =>
+  !!wildcard(wildcardUri, redirectUri);
+provider.Client.prototype.redirectUriAllowed = function (redirectUri) {
+  if (!redirectUri.includes("*")) {
+    return redirectUriAllowed.call(this, redirectUri);
+  }
+  const wildcardUris = this.redirectUris.filter(hasWildcardHost);
+  return wildcardUris.some(wildcardMatches.bind(undefined, redirectUri));
+};