Add a new OptionalSafeUrlSchema just for retrocompatibility on existing clients

Author: fredericbarthelet

src/shared/auth.test.ts

@@ -1,5 +1,11 @@
 import { describe, it, expect } from '@jest/globals';
-import { SafeUrlSchema, OAuthMetadataSchema, OpenIdProviderMetadataSchema, OAuthClientMetadataSchema } from './auth.js';
+import {
+    SafeUrlSchema,
+    OAuthMetadataSchema,
+    OpenIdProviderMetadataSchema,
+    OAuthClientMetadataSchema,
+    OptionalSafeUrlSchema
+} from './auth.js';
 
 describe('SafeUrlSchema', () => {
     it('accepts valid HTTPS URLs', () => {
@@ -18,14 +24,17 @@ describe('SafeUrlSchema', () => {
 
     it('rejects invalid URLs', () => {
         expect(() => SafeUrlSchema.parse('not-a-url')).toThrow();
+        expect(() => SafeUrlSchema.parse('')).toThrow();
     });
 
     it('works with safeParse', () => {
         expect(() => SafeUrlSchema.safeParse('not-a-url')).not.toThrow();
     });
+});
 
-    it('works with empty string', () => {
-        expect(() => SafeUrlSchema.parse('')).not.toThrow();
+describe('OptionalSafeUrlSchema', () => {
+    it('accepts empty string and transforms it to undefined', () => {
+        expect(OptionalSafeUrlSchema.parse('')).toBe(undefined);
     });
 });
 

src/shared/auth.ts

@@ -23,8 +23,7 @@ export const SafeUrlSchema = z
             return u.protocol !== 'javascript:' && u.protocol !== 'data:' && u.protocol !== 'vbscript:';
         },
         { message: 'URL cannot use javascript:, data:, or vbscript: scheme' }
-    )
-    .or(z.literal(''));
+    );
 
 /**
  * RFC 9728 OAuth Protected Resource Metadata
@@ -152,6 +151,11 @@ export const OAuthErrorResponseSchema = z.object({
     error_uri: z.string().optional()
 });
 
+/**
+ * Optional version of SafeUrlSchema that allows empty string for retrocompatibility on tos_uri and logo_uri
+ */
+export const OptionalSafeUrlSchema = SafeUrlSchema.optional().or(z.literal('').transform(() => undefined));
+
 /**
  * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
  */
@@ -163,10 +167,10 @@ export const OAuthClientMetadataSchema = z
         response_types: z.array(z.string()).optional(),
         client_name: z.string().optional(),
         client_uri: SafeUrlSchema.optional(),
-        logo_uri: SafeUrlSchema.optional(),
+        logo_uri: OptionalSafeUrlSchema,
         scope: z.string().optional(),
         contacts: z.array(z.string()).optional(),
-        tos_uri: SafeUrlSchema.optional(),
+        tos_uri: OptionalSafeUrlSchema,
         policy_uri: z.string().optional(),
         jwks_uri: SafeUrlSchema.optional(),
         jwks: z.any().optional(),