Add skipLocalPkceValidation param and create providers folder

allenzhou101 · allenzhou101 · commit b90192a02037 · 2025-02-28T13:59:23.000-08:00
diff --git a/src/server/auth/handlers/token.test.ts b/src/server/auth/handlers/token.test.ts
@@ -7,7 +7,7 @@ import supertest from 'supertest';
 import * as pkceChallenge from 'pkce-challenge';
 import { InvalidGrantError, InvalidTokenError } from '../errors.js';
 import { AuthInfo } from '../types.js';
-import { ProxyOAuthServerProvider } from '../proxyProvider.js';
+import { ProxyOAuthServerProvider } from '../providers/proxyProvider.js';
 
 // Mock pkce-challenge
 jest.mock('pkce-challenge', () => ({
diff --git a/src/server/auth/handlers/token.ts b/src/server/auth/handlers/token.ts
@@ -14,7 +14,6 @@ import {
   TooManyRequestsError,
   OAuthError
 } from "../errors.js";
-import { ProxyOAuthServerProvider } from "../proxyProvider.js";
 
 export type TokenHandlerOptions = {
   provider: OAuthServerProvider;
@@ -91,9 +90,10 @@ export function tokenHandler({ provider, rateLimit: rateLimitConfig }: TokenHand
 
           const { code, code_verifier } = parseResult.data;
 
-          const skipLocalPkceValidation = provider instanceof ProxyOAuthServerProvider ? provider.skipLocalPkceValidation : false;
+          const skipLocalPkceValidation = provider.skipLocalPkceValidation;
 
-          // Perform local PKCE validation unless explicitly delegated (e.g. by proxy provider)
+          // Perform local PKCE validation unless explicitly skipped 
+          // (e.g. to validate code_verifier in upstream server)
           if (!skipLocalPkceValidation) {
             const codeChallenge = await provider.challengeForAuthorizationCode(client, code);
             if (!(await verifyChallenge(code_verifier, codeChallenge))) {
diff --git a/src/server/auth/provider.ts b/src/server/auth/provider.ts
@@ -54,4 +54,13 @@ export interface OAuthServerProvider {
    * If the given token is invalid or already revoked, this method should do nothing.
    */
   revokeToken?(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
+
+  /**
+   * Whether to skip local PKCE validation.
+   * 
+   * If true, the server will not perform PKCE validation locally and will pass the code_verifier to the upstream server.
+   * 
+   * NOTE: This should only be true if the upstream server is performing the actual PKCE validation.
+   */
+  skipLocalPkceValidation?: boolean;
 }
diff --git a/src/server/auth/providers/proxyProvider.test.ts b/src/server/auth/providers/proxyProvider.test.ts
@@ -1,10 +1,10 @@
 import { Response } from "express";
 import { ProxyOAuthServerProvider, ProxyOptions } from "./proxyProvider.js";
-import { AuthInfo } from "./types.js";
-import { OAuthClientInformationFull, OAuthTokens } from "../../shared/auth.js";
-import { ServerError } from "./errors.js";
-import { InvalidTokenError } from "./errors.js";
-import { InsufficientScopeError } from "./errors.js";
+import { AuthInfo } from "../types.js";
+import { OAuthClientInformationFull, OAuthTokens } from "../../../shared/auth.js";
+import { ServerError } from "../errors.js";
+import { InvalidTokenError } from "../errors.js";
+import { InsufficientScopeError } from "../errors.js";
 
 describe("Proxy OAuth Server Provider", () => {
   // Mock client data
diff --git a/src/server/auth/providers/proxyProvider.ts b/src/server/auth/providers/proxyProvider.ts
@@ -1,15 +1,15 @@
 import { Response } from "express";
-import { OAuthRegisteredClientsStore } from "./clients.js";
+import { OAuthRegisteredClientsStore } from "../clients.js";
 import {
   OAuthClientInformationFull,
   OAuthClientInformationFullSchema,
   OAuthTokenRevocationRequest,
   OAuthTokens,
   OAuthTokensSchema,
-} from "./../../shared/auth.js";
-import { AuthInfo } from "./types.js";
-import { AuthorizationParams, OAuthServerProvider } from "./provider.js";
-import { ServerError } from "./errors.js";
+} from "../../../shared/auth.js";
+import { AuthInfo } from "../types.js";
+import { AuthorizationParams, OAuthServerProvider } from "../provider.js";
+import { ServerError } from "../errors.js";
 
 export type ProxyEndpoints = {
   authorizationUrl: string;
@@ -44,15 +44,7 @@ export class ProxyOAuthServerProvider implements OAuthServerProvider {
   protected readonly _verifyAccessToken: (token: string) => Promise<AuthInfo>;
   protected readonly _getClient: (clientId: string) => Promise<OAuthClientInformationFull | undefined>;
   
-  /**
-   * Always true for proxy providers since PKCE validation happens at the upstream server.
-   * Can consider adding to the base OAuthServerProvider interface if it becomes useful elsewhere.
-   * This ensures that:
-   * 1. We skip local PKCE validation (which would fail since we don't store challenges)
-   * 2. The code_verifier is still passed through to the upstream server
-   * 3. The upstream server performs the actual PKCE validation
-   */
-  readonly skipLocalPkceValidation = true;
+  skipLocalPkceValidation = true;
 
   revokeToken?: (
     client: OAuthClientInformationFull,
