refactor(endpoint-auth): coerce incoming parameters to strings

paulrobertlloyd · paulrobertlloyd · commit b1034c2db12c · 2023-05-26T23:28:39.000+01:00
diff --git a/packages/endpoint-auth/lib/controllers/authorization.js b/packages/endpoint-auth/lib/controllers/authorization.js
@@ -38,7 +38,7 @@ export const authorizationController = {
       }
 
       // `response_type` must be `code` (or deprecated `id`)
-      if (!/^(code|id)$/.test(request.query.response_type)) {
+      if (!/^(code|id)$/.test(String(request.query.response_type))) {
         throw IndiekitError.badRequest(
           response.locals.__("BadRequestError.invalidValue", "response_type")
         );
@@ -54,7 +54,7 @@ export const authorizationController = {
 
         // Canonicalise URLs for later comparison
         if (request.query[uri]) {
-          request.query[uri] = getCanonicalUrl(request.query[uri]);
+          request.query[uri] = getCanonicalUrl(String(request.query[uri]));
         }
       }
 
@@ -70,7 +70,7 @@ export const authorizationController = {
       }
 
       // Add client information to locals
-      request.app.locals.client = await getClientInformation(client_id);
+      request.app.locals.client = await getClientInformation(String(client_id));
 
       // Use PKCE if code challenge parameters provided
       request.app.locals.usePkce = code_challenge && code_challenge_method;
diff --git a/packages/endpoint-auth/lib/pushed-authorization-request.js b/packages/endpoint-auth/lib/pushed-authorization-request.js
@@ -28,7 +28,7 @@ export const createRequestUri = (request) => {
  */
 export const getRequestUriData = (request) => {
   const { request_uri } = request.query;
-  const reference = request_uri.split(":")[5];
+  const reference = String(request_uri).split(":")[5];
 
   return request.app.locals[reference];
 };

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ export const authorizationController = {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	// `response_type` must be `code` (or deprecated `id`)
`41`		`- if (!/^(code\|id)$/.test(request.query.response_type)) {`
	`41`	`+ if (!/^(code\|id)$/.test(String(request.query.response_type))) {`
`42`	`42`	`throw IndiekitError.badRequest(`
`43`	`43`	`response.locals.__("BadRequestError.invalidValue", "response_type")`
`44`	`44`	`);`
`@@ -54,7 +54,7 @@ export const authorizationController = {`
`54`	`54`
`55`	`55`	`// Canonicalise URLs for later comparison`
`56`	`56`	`if (request.query[uri]) {`
`57`		`- request.query[uri] = getCanonicalUrl(request.query[uri]);`
	`57`	`+ request.query[uri] = getCanonicalUrl(String(request.query[uri]));`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
`@@ -70,7 +70,7 @@ export const authorizationController = {`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`// Add client information to locals`
`73`		`- request.app.locals.client = await getClientInformation(client_id);`
	`73`	`+ request.app.locals.client = await getClientInformation(String(client_id));`
`74`	`74`
`75`	`75`	`// Use PKCE if code challenge parameters provided`
`76`	`76`	`request.app.locals.usePkce = code_challenge && code_challenge_method;`