groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-689): only validate authorizationUrl hostname, add OIDC_INTERNAL_BASE in dev

Browse Source 
- Move hostname validation to run AFTER OIDC_INTERNAL_BASE replacement
  (was checking raw discovery URLs before replacement caused false positives)
- Only validate authorizationUrl hostname against issuer; token/userinfo
  are server-to-server and may legitimately use internal hostnames
- Infra: add OIDC_INTERNAL_BASE env var to dev overlay (was missing, matches UAT)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
2026-04-16 04:42:59 +00:00
parent 376180ab9d
commit cdf4d6c4b1
2 changed files with 7 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/__tests__/clients.test.ts
+3 -2
View File
@@ -195,10 +195,11 @@ describe("POST /clients", () => {
expect(insertedValues[0]!.name).toBe("Charlie"); expect(insertedValues[0]!.name).toBe("Charlie");
}); });
it("creates a client with only required name field", async () => { it("creates a client with name and email", async () => {
const res = await jsonRequest("POST", "/clients", { name: "Dana" }); const res = await jsonRequest("POST", "/clients", { name: "Dana", email: "dana@example.com" });
expect(res.status).toBe(201); expect(res.status).toBe(201);
expect(insertedValues[0]!.name).toBe("Dana"); expect(insertedValues[0]!.name).toBe("Dana");
expect(insertedValues[0]!.email).toBe("dana@example.com");
}); });
it("rejects empty name", async () => { it("rejects empty name", async () => {
apps/api/src/lib/auth.ts
+4 -8
View File
@@ -204,15 +204,11 @@ export async function initAuth(): Promise<void> {
const userInfoUrl = discovery.userinfo_endpoint; const userInfoUrl = discovery.userinfo_endpoint;
if (authzUrl && tokenUrl && userInfoUrl) { if (authzUrl && tokenUrl && userInfoUrl) {
const authzUrlObj = new URL(authzUrl); const authzUrlObj = new URL(authzUrl);
const tokenUrlObj = new URL(tokenUrl); // Only validate authorizationUrl hostname against issuer — token/userinfo
const userInfoUrlObj = new URL(userInfoUrl); // may legitimately use internal hostnames (OIDC_INTERNAL_BASE) for server-to-server calls.
if ( if (authzUrlObj.hostname !== issuerHostname) {
authzUrlObj.hostname !== issuerHostname ||
tokenUrlObj.hostname !== issuerHostname ||
userInfoUrlObj.hostname !== issuerHostname
) {
throw new Error( throw new Error(
`[FATAL] OIDC discovery URL hostname mismatch: expected '${issuerHostname}' but got '${authzUrlObj.hostname}', '${tokenUrlObj.hostname}', or '${userInfoUrlObj.hostname}'. This may indicate a man-in-the-middle attack.` `[FATAL] OIDC discovery URL hostname mismatch: expected '${issuerHostname}' but got '${authzUrlObj.hostname}'. This may indicate a man-in-the-middle attack.`
); );
} }
oidcConfig = { oidcConfig = {