Use URL.canParse instead of custom isValidUrl

jspahrsummers · jspahrsummers · commit 76b9781c850e · 2025-02-18T10:33:21.000Z
diff --git a/src/server/auth/handlers/authorize.ts b/src/server/auth/handlers/authorize.ts
@@ -1,6 +1,5 @@
 import { RequestHandler } from "express";
 import { z } from "zod";
-import { isValidUrl } from "../validation.js";
 import { OAuthServerProvider } from "../provider.js";
 
 export type AuthorizationHandlerOptions = {
@@ -10,7 +9,7 @@ export type AuthorizationHandlerOptions = {
 // Parameters that must be validated in order to issue redirects.
 const ClientAuthorizationParamsSchema = z.object({
   client_id: z.string(),
-  redirect_uri: z.string().optional().refine((value) => value === undefined || isValidUrl(value), { message: "redirect_uri must be a valid URL" }),
+  redirect_uri: z.string().optional().refine((value) => value === undefined || URL.canParse(value), { message: "redirect_uri must be a valid URL" }),
 });
 
 // Parameters that must be validated for a successful authorization request. Failure can be reported to the redirect URI.
diff --git a/src/server/auth/validation.ts b/src/server/auth/validation.ts
diff --git a/src/shared/auth.ts b/src/shared/auth.ts
@@ -1,5 +1,4 @@
 import { z } from "zod";
-import { isValidUrl } from "../server/auth/validation.js";
 
 /**
  * RFC 8414 OAuth 2.0 Authorization Server Metadata
@@ -62,7 +61,7 @@ export const OAuthErrorSchema = z
  * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
  */
 export const OAuthClientMetadataSchema = z.object({
-  redirect_uris: z.array(z.string()).refine((uris) => uris.every(isValidUrl), { message: "redirect_uris must contain valid URLs" }),
+  redirect_uris: z.array(z.string()).refine((uris) => uris.every((uri) => URL.canParse(uri)), { message: "redirect_uris must contain valid URLs" }),
   token_endpoint_auth_method: z.string().optional(),
   grant_types: z.array(z.string()).optional(),
   response_types: z.array(z.string()).optional(),
