fix(auth): sanitize authorization URL (#16)

superboy-zjc · web-flow · commit 35629664cc5d · 2025-08-07T11:41:09.000+08:00
diff --git a/package.json b/package.json
@@ -30,6 +30,7 @@
     "prompts": "^2.4.2",
     "uri-template": "^2.0.0",
     "yocto-spinner": "^0.2.2",
-    "yoctocolors": "^2.1.1"
+    "yoctocolors": "^2.1.1",
+    "strict-url-sanitise": "^0.0.1"
   }
 }
diff --git a/src/oauth/provider.js b/src/oauth/provider.js
@@ -2,6 +2,7 @@
 
 import open from 'open'
 import { config } from '../config.js'
+import { sanitizeUrl } from 'strict-url-sanitise'
 
 /** @typedef {import("@modelcontextprotocol/sdk/client/auth.js").OAuthClientProvider} OAuthClientProvider */
 /** @implements {OAuthClientProvider} */
@@ -39,7 +40,7 @@ export class McpOAuthClientProvider {
   }
 
   async redirectToAuthorization(authorizationUrl) {
-    await open(authorizationUrl.toString())
+    await open(sanitizeUrl(authorizationUrl.toString()))
   }
 
   async codeVerifier() {

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`import open from 'open'`
`4`	`4`	`import { config } from '../config.js'`
	`5`	`+import { sanitizeUrl } from 'strict-url-sanitise'`
`5`	`6`
`6`	`7`	`/** @typedef {import("@modelcontextprotocol/sdk/client/auth.js").OAuthClientProvider} OAuthClientProvider */`
`7`	`8`	`/** @implements {OAuthClientProvider} */`
`@@ -39,7 +40,7 @@ export class McpOAuthClientProvider {`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`async redirectToAuthorization(authorizationUrl) {`
`42`		`- await open(authorizationUrl.toString())`
	`43`	`+ await open(sanitizeUrl(authorizationUrl.toString()))`
`43`	`44`	`}`
`44`	`45`
`45`	`46`	`async codeVerifier() {`