Better authorization URL handling

2026-03-30 14:12:07 +02:00 · 2025-07-18 14:48:45 -07:00
parent 5061e17700
commit a657c32445
4 changed files with 17 additions and 7 deletions
--- a/plugins/auth-oauth2/src/grants/authorizationCode.ts
+++ b/plugins/auth-oauth2/src/grants/authorizationCode.ts
@@ -52,7 +52,12 @@ export async function getAuthorizationCode(
    return token;
  }

-  const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  let authorizationUrl: URL;
+  try {
+    authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  } catch {
+    throw new Error('Invalid authorization URL: ' + authorizationUrlRaw);
+  }
  authorizationUrl.searchParams.set('response_type', 'code');
  authorizationUrl.searchParams.set('client_id', clientId);
  if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
--- a/plugins/auth-oauth2/src/grants/implicit.ts
+++ b/plugins/auth-oauth2/src/grants/implicit.ts
@@ -31,7 +31,12 @@ export async function getImplicit(
    return token;
  }

-  const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  let authorizationUrl: URL;
+  try {
+    authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  } catch {
+    throw new Error('Invalid authorization URL: ' + authorizationUrlRaw);
+  }
  authorizationUrl.searchParams.set('response_type', 'token');
  authorizationUrl.searchParams.set('client_id', clientId);
  if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
--- a/plugins/auth-oauth2/src/index.ts
+++ b/plugins/auth-oauth2/src/index.ts
@@ -312,10 +312,11 @@ export const plugin: PluginDefinition = {
        const authorizationUrl = stringArg(values, 'authorizationUrl');
        const accessTokenUrl = stringArg(values, 'accessTokenUrl');
        token = await getAuthorizationCode(ctx, contextId, {
-          accessTokenUrl: accessTokenUrl.match(/^https?:\/\//)
-            ? accessTokenUrl
-            : `https://${accessTokenUrl}`,
-          authorizationUrl: authorizationUrl.match(/^https?:\/\//)
+          accessTokenUrl:
+            accessTokenUrl === '' || accessTokenUrl.match(/^https?:\/\//)
+              ? accessTokenUrl
+              : `https://${accessTokenUrl}`,
+          authorizationUrl: authorizationUrl === '' || authorizationUrl.match(/^https?:\/\//)
            ? authorizationUrl
            : `https://${authorizationUrl}`,
          clientId: stringArg(values, 'clientId'),