refactor: pull structured token rejection to a shared middleware

panva · panva · commit 30367af7ea6a · 2025-07-16T12:42:13.000+02:00
diff --git a/lib/actions/introspection.js b/lib/actions/introspection.js
@@ -1,13 +1,12 @@
-import { decodeProtectedHeader } from 'jose';
-
 import presence from '../helpers/validate_presence.js';
 import getClientAuth from '../shared/client_auth.js';
 import noCache from '../shared/no_cache.js';
 import instance from '../helpers/weak_cache.js';
 import { urlencoded as parseBody } from '../shared/selective_body.js';
 import rejectDupes from '../shared/reject_dupes.js';
 import paramsMiddleware from '../shared/assemble_params.js';
-import { InvalidRequest, UnsupportedTokenType } from '../helpers/errors.js';
+import { InvalidRequest } from '../helpers/errors.js';
+import rejectStructuredTokens from '../shared/reject_structured_tokens.js';
 
 const introspectable = new Set(['AccessToken', 'ClientCredentials', 'RefreshToken']);
 const JWT = 'application/token-introspection+jwt';
@@ -63,6 +62,8 @@ export default function introspectionAction(provider) {
       await next();
     },
 
+    rejectStructuredTokens,
+
     async function jwtIntrospectionResponse(ctx, next) {
       if (jwtIntrospection.enabled) {
         const { client } = ctx.oidc;
@@ -97,15 +98,6 @@ export default function introspectionAction(provider) {
     async function renderTokenResponse(ctx) {
       const { params } = ctx.oidc;
 
-      let tokenIsJWT;
-      try {
-        tokenIsJWT = !!decodeProtectedHeader(params.token);
-      } catch {}
-
-      if (tokenIsJWT) {
-        throw new UnsupportedTokenType('Structured JWT Tokens cannot be introspected via the introspection_endpoint');
-      }
-
       ctx.body = { active: false };
 
       let token;
diff --git a/lib/actions/revocation.js b/lib/actions/revocation.js
@@ -1,12 +1,10 @@
-import { decodeProtectedHeader } from 'jose';
-
-import { UnsupportedTokenType } from '../helpers/errors.js';
 import presence from '../helpers/validate_presence.js';
 import instance from '../helpers/weak_cache.js';
 import getClientAuth from '../shared/client_auth.js';
 import { urlencoded as parseBody } from '../shared/selective_body.js';
 import rejectDupes from '../shared/reject_dupes.js';
 import paramsMiddleware from '../shared/assemble_params.js';
+import rejectStructuredTokens from '../shared/reject_structured_tokens.js';
 import revoke from '../helpers/revoke.js';
 
 const revokeable = new Set(['AccessToken', 'ClientCredentials', 'RefreshToken']);
@@ -54,6 +52,8 @@ export default function revocationAction(provider) {
       await next();
     },
 
+    rejectStructuredTokens,
+
     async function renderTokenResponse(ctx, next) {
       ctx.status = 200;
       ctx.body = '';
@@ -63,15 +63,6 @@ export default function revocationAction(provider) {
     async function revokeToken(ctx) {
       const { params } = ctx.oidc;
 
-      let tokenIsJWT;
-      try {
-        tokenIsJWT = !!decodeProtectedHeader(params.token);
-      } catch {}
-
-      if (tokenIsJWT) {
-        throw new UnsupportedTokenType('Structured JWT Tokens cannot be revoked via the revocation_endpoint');
-      }
-
       let token;
       switch (params.token_type_hint) {
         case 'access_token':
diff --git a/lib/shared/reject_structured_tokens.js b/lib/shared/reject_structured_tokens.js
@@ -0,0 +1,18 @@
+import { decodeProtectedHeader } from 'jose';
+
+import { UnsupportedTokenType } from '../helpers/errors.js';
+
+export default async function rejectStructuredTokens(ctx, next) {
+  const { params } = ctx.oidc;
+
+  let tokenIsJWT;
+  try {
+    tokenIsJWT = !!decodeProtectedHeader(params.token);
+  } catch {}
+
+  if (tokenIsJWT) {
+    throw new UnsupportedTokenType(`Structured JWT Tokens cannot be ${ctx.oidc.route === 'revocation' ? 'revoked' : 'introspected'} via the ${ctx.oidc.route}_endpoint`);
+  }
+
+  return next();
+}
