Validate redirect URIs _as_ URIs

Author: jspahrsummers

src/server/auth/handlers/authorize.ts

@@ -1,6 +1,7 @@
 import { RequestHandler } from "express";
 import { z } from "zod";
 import { OAuthRegisteredClientsStore } from "../clients.js";
+import { isValidUrl } from "../validation.js";
 
 export type AuthorizationHandlerOptions = {
   /**
@@ -11,7 +12,7 @@ export type AuthorizationHandlerOptions = {
 
 const ClientAuthorizationParamsSchema = z.object({
   client_id: z.string(),
-  redirect_uri: z.string().optional(),
+  redirect_uri: z.string().optional().refine((value) => value === undefined || isValidUrl(value), { message: "redirect_uri must be a valid URL" }),
 });
 
 const RequestAuthorizationParamsSchema = z.object({
@@ -45,7 +46,7 @@ export function authorizationHandler({ store }: AuthorizationHandlerOptions): Re
 
     if (redirect_uri !== undefined) {
       if (!client.redirect_uris.includes(redirect_uri)) {
-        res.status(400).end("Bad Request: invalid redirect_uri");
+        res.status(400).end("Bad Request: unregistered redirect_uri");
         return;
       }
     } else if (client.redirect_uris.length === 1) {

src/server/auth/validation.ts

@@ -0,0 +1,8 @@
+export function isValidUrl(s: string): boolean {
+  try {
+    new URL(s);
+    return true;
+  } catch (error) {
+    return false;
+  }
+}

src/shared/auth.ts

@@ -1,4 +1,5 @@
 import { z } from "zod";
+import { isValidUrl } from "../server/auth/validation.js";
 
 /**
  * RFC 8414 OAuth 2.0 Authorization Server Metadata
@@ -61,7 +62,7 @@ export const OAuthErrorSchema = z
  * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
  */
 export const OAuthClientMetadataSchema = z.object({
-  redirect_uris: z.array(z.string()),
+  redirect_uris: z.array(z.string()).refine((uris) => uris.every(isValidUrl), { message: "redirect_uris must contain valid URLs" }),
   token_endpoint_auth_method: z.string().optional(),
   grant_types: z.array(z.string()).optional(),
   response_types: z.array(z.string()).optional(),