fix: remove query and fragment from htu url. See #1

Author: Otto-AA

solid_client_credentials/dpop_utils.py

@@ -1,6 +1,7 @@
 import datetime
 import math
 from typing import Optional
+from urllib.parse import urlsplit
 from uuid import uuid4
 
 import jwt
@@ -53,7 +54,7 @@ def request_access_token(
 
 def create_dpop_header(url: str, method: str, key: jwk.JWK) -> str:
     payload = {
-        "htu": url,
+        "htu": urlsplit(url)._replace(query="", fragment="").geturl(),
         "htm": method.upper(),
         "jti": str(uuid4()),
         "iat": math.floor(datetime.datetime.now(tz=datetime.timezone.utc).timestamp()),

tests/test_auth.py

@@ -20,3 +20,20 @@ def can_make_authenticated_request(expect, random_css_account: CssAcount):
         private_url = f"{random_css_account.pod_base_url}profile/"
         res = requests.get(private_url, auth=auth, timeout=5000)
         expect(res.status_code) == 200
+
+    def can_make_request_with_query_param(expect, random_css_account: CssAcount):
+        credentials = get_client_credentials(random_css_account)
+        issuer = random_css_account.css_base_url
+
+        token_provider = DpopTokenProvider(
+            issuer_url=issuer,
+            client_id=credentials.client_id,
+            client_secret=credentials.client_secret,
+        )
+        auth = SolidClientCredentialsAuth(token_provider)
+
+        # should remove query params
+        # https://datatracker.ietf.org/doc/html/rfc9449#section-4.2
+        private_url = f"{random_css_account.pod_base_url}profile/?somekey=removeme"
+        res = requests.get(private_url, auth=auth, timeout=5000)
+        expect(res.status_code) == 200