fix: stricter toString conversion for unsupported types

jankapunkt · jankapunkt · commit aa88382b2bcf · 2026-03-19T08:27:07.000+01:00
diff --git a/lib/grant-types/refresh-token-grant-type.js b/lib/grant-types/refresh-token-grant-type.js
@@ -75,12 +75,14 @@ class RefreshTokenGrantType extends AbstractGrantType {
       throw new InvalidRequestError('Invalid parameter: `refresh_token`');
     }
 
+    // normalize string|number to string
     const refreshToken = toString(request.body.refresh_token);
 
     if (!isFormat.vschar(refreshToken)) {
       throw new InvalidRequestError('Invalid parameter: `refresh_token`');
     }
 
+    // XXX: still passing the original value from request to model
     const token = await this.model.getRefreshToken(request.body.refresh_token);
 
     if (!token) {
diff --git a/lib/handlers/token-handler.js b/lib/handlers/token-handler.js
@@ -129,7 +129,7 @@ class TokenHandler {
       throw new InvalidRequestError('Invalid parameter: `client_id`');
     }
 
-    if (credentials.clientSecret && !isFormat.vschar(credentials.clientSecret)) {
+    if (credentials.clientSecret && (!isStringOrNumber(credentials.clientSecret) || !isFormat.vschar(toString(credentials.clientSecret)))) {
       throw new InvalidRequestError('Invalid parameter: `client_secret`');
     }
 
diff --git a/lib/utils/param-util.js b/lib/utils/param-util.js
@@ -36,19 +36,25 @@ function isDefined (value) {
  * @return {string}
  */
 function toString(value) {
-  if (typeof value === 'string') {
+  const type = typeof value;
+  if (type === 'string') {
     return value;
   }
 
-  if (Object.prototype.hasOwnProperty.call(value, 'toString')) {
-    return value.toString();
+  if (type === 'undefined' || value === null) {
+    throw new TypeError(`Cannot convert ${value} to a string`);
   }
 
-  if (value === null || value === undefined) {
-    return '';
+  if (type === 'number' || type === 'bigint') {
+    const val = String(value);
+    if (val === 'NaN' || val === 'Infinity' || val === '-Infinity') {
+      throw new TypeError(`Invalid numeric value ${value}, cannot be converted to a string (${val})`);
+    }
+    return val;
   }
 
-  return String(value);
+
+  throw new TypeError(`Cannot convert value ${value} of type ${type} to a string`);
 }
 
 module.exports = { isInTypes, isDefined, toString };

Original file line number	Diff line number	Diff line change
`@@ -75,12 +75,14 @@ class RefreshTokenGrantType extends AbstractGrantType {`
`75`	`75`	throw new InvalidRequestError('Invalid parameter: `refresh_token`');
`76`	`76`	`}`
`77`	`77`
	`78`	`+ // normalize string\|number to string`
`78`	`79`	`const refreshToken = toString(request.body.refresh_token);`
`79`	`80`
`80`	`81`	`if (!isFormat.vschar(refreshToken)) {`
`81`	`82`	throw new InvalidRequestError('Invalid parameter: `refresh_token`');
`82`	`83`	`}`
`83`	`84`
	`85`	`+ // XXX: still passing the original value from request to model`
`84`	`86`	`const token = await this.model.getRefreshToken(request.body.refresh_token);`
`85`	`87`
`86`	`88`	`if (!token) {`
Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ class TokenHandler {`
`129`	`129`	throw new InvalidRequestError('Invalid parameter: `client_id`');
`130`	`130`	`}`
`131`	`131`
`132`		`- if (credentials.clientSecret && !isFormat.vschar(credentials.clientSecret)) {`
	`132`	`+ if (credentials.clientSecret && (!isStringOrNumber(credentials.clientSecret) \|\| !isFormat.vschar(toString(credentials.clientSecret)))) {`
`133`	`133`	throw new InvalidRequestError('Invalid parameter: `client_secret`');
`134`	`134`	`}`
`135`	`135`