restrict url schemes allowed in oauth metadata

src/shared/auth.ts

@@ -1,12 +1,25 @@
 import { z } from "zod";
 
+/**
+ * Reusable URL validation that disallows javascript: scheme
+ */
+export const SafeUrlSchema = z.string().url()
+  .refine(
+    (url) => URL.canParse(url),
+    {message: "URL must be parseable"}
+  ).refine(
+    (url) =>  !url.toLowerCase().startsWith('javascript:'),
+    { message: "URL cannot use javascript: scheme" }
+);
+
+
 /**
  * RFC 9728 OAuth Protected Resource Metadata
  */
 export const OAuthProtectedResourceMetadataSchema = z
   .object({
     resource: z.string().url(),
-    authorization_servers: z.array(z.string().url()).optional(),
+    authorization_servers: z.array(SafeUrlSchema).optional(),
     jwks_uri: z.string().url().optional(),
     scopes_supported: z.array(z.string()).optional(),
     bearer_methods_supported: z.array(z.string()).optional(),
@@ -28,9 +41,9 @@
 export const OAuthMetadataSchema = z
   .object({
     issuer: z.string(),
-    authorization_endpoint: z.string(),
-    token_endpoint: z.string(),
-    registration_endpoint: z.string().optional(),
+    authorization_endpoint: SafeUrlSchema,
+    token_endpoint: SafeUrlSchema,
+    registration_endpoint: SafeUrlSchema.optional(),
     scopes_supported: z.array(z.string()).optional(),
     response_types_supported: z.array(z.string()),
     response_modes_supported: z.array(z.string()).optional(),
@@ -39,8 +52,8 @@
     token_endpoint_auth_signing_alg_values_supported: z
       .array(z.string())
       .optional(),
-    service_documentation: z.string().optional(),
-    revocation_endpoint: z.string().optional(),
+    service_documentation: SafeUrlSchema.optional(),
+    revocation_endpoint: SafeUrlSchema.optional(),
     revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
     revocation_endpoint_auth_signing_alg_values_supported: z
       .array(z.string())
@@ -63,11 +76,11 @@
 export const OpenIdProviderMetadataSchema = z
   .object({
     issuer: z.string(),
-    authorization_endpoint: z.string(),
-    token_endpoint: z.string(),
-    userinfo_endpoint: z.string().optional(),
-    jwks_uri: z.string(),
-    registration_endpoint: z.string().optional(),
+    authorization_endpoint: SafeUrlSchema,
+    token_endpoint: SafeUrlSchema,
+    userinfo_endpoint: SafeUrlSchema.optional(),
+    jwks_uri: SafeUrlSchema,
+    registration_endpoint: SafeUrlSchema.optional(),
     scopes_supported: z.array(z.string()).optional(),
     response_types_supported: z.array(z.string()),
     response_modes_supported: z.array(z.string()).optional(),
@@ -101,8 +114,8 @@
     request_parameter_supported: z.boolean().optional(),
     request_uri_parameter_supported: z.boolean().optional(),
     require_request_uri_registration: z.boolean().optional(),
-    op_policy_uri: z.string().optional(),
-    op_tos_uri: z.string().optional(),
+    op_policy_uri: SafeUrlSchema.optional(),
+    op_tos_uri: SafeUrlSchema.optional(),
   })
   .passthrough();
 
@@ -146,18 +159,18 @@
  * RFC 7591 OAuth 2.0 Dynamic Client Registration metadata
  */
 export const OAuthClientMetadataSchema = z.object({
-  redirect_uris: z.array(z.string()).refine((uris) => uris.every((uri) => URL.canParse(uri)), { message: "redirect_uris must contain valid URLs" }),
+  redirect_uris: z.array(SafeUrlSchema),
   token_endpoint_auth_method: z.string().optional(),
   grant_types: z.array(z.string()).optional(),
   response_types: z.array(z.string()).optional(),
   client_name: z.string().optional(),
-  client_uri: z.string().optional(),
-  logo_uri: z.string().optional(),
+  client_uri: SafeUrlSchema.optional(),
+  logo_uri: SafeUrlSchema.optional(),
   scope: z.string().optional(),
   contacts: z.array(z.string()).optional(),
-  tos_uri: z.string().optional(),
+  tos_uri: SafeUrlSchema.optional(),
   policy_uri: z.string().optional(),
-  jwks_uri: z.string().optional(),
+  jwks_uri: SafeUrlSchema.optional(),
   jwks: z.any().optional(),
   software_id: z.string().optional(),
   software_version: z.string().optional(),