${text}
`);
+ if (res.headers.get('content-type')?.includes('application/json')) {
+ // Client discovery via JSON document (11 July 2024 spec)
+ // https://indieauth.spec.indieweb.org/#client-metadata
+ // "Clients SHOULD have a JSON [RFC7159] document at their client_id URL containing
+ // client metadata defined in [RFC7591], the minimum properties for an IndieAuth
+ // client defined below."
- redirectUris.push(...[...doc.querySelectorAll('link[rel=redirect_uri][href]')].map(el => el.attributes.href));
+ const json = await res.json() as {
+ client_id: string;
+ client_name?: string;
+ client_uri: string;
+ logo_uri?: string;
+ redirect_uris?: string[];
+ };
- let name = id;
- let logo: string | null = null;
- if (text) {
- const microformats = parseMicroformats(doc, res.url, id);
- if (typeof microformats.name === 'string') {
- name = microformats.name;
+ // https://indieauth.spec.indieweb.org/#client-metadata-li-1
+ // "The authorization server MUST verify that the client_id in the document matches the
+ // client_id of the URL where the document was retrieved."
+ if (json.client_id !== id) {
+ throw new AuthorizationError('client_id in the document does not match the client_id URL', 'invalid_request');
}
- if (typeof microformats.logo === 'string') {
- logo = microformats.logo;
+
+ // https://indieauth.spec.indieweb.org/#client-metadata-li-1
+ // "The client_uri MUST be a prefix of the client_id."
+ if (!json.client_uri || !id.startsWith(json.client_uri)) {
+ throw new AuthorizationError('client_uri is not a prefix of client_id', 'invalid_request');
+ }
+
+ if (typeof json.client_name === 'string') {
+ name = json.client_name;
+ }
+
+ if (typeof json.logo_uri === 'string') {
+ // Since uri can be relative, resolve it against the document URL
+ logo = new URL(json.logo_uri, res.url).toString();
+ }
+
+ if (Array.isArray(json.redirect_uris)) {
+ redirectUris.push(...json.redirect_uris.filter((uri): uri is string => typeof uri === 'string'));
+ }
+ } else {
+ // Client discovery via HTML microformats (12 February 2022 spec)
+ // https://indieauth.spec.indieweb.org/20220212/#client-information-discovery
+ // "Authorization servers SHOULD support parsing the [h-app] Microformat from the client_id,
+ // and if there is an [h-app] with a url property matching the client_id URL,
+ // then it should use the name and icon and display them on the authorization prompt."
+ const text = await res.text();
+ const doc = htmlParser.parse(`${text}
`);
+
+ redirectUris.push(...[...doc.querySelectorAll('link[rel=redirect_uri][href]')].map(el => el.attributes.href));
+
+ if (text) {
+ const microformats = parseMicroformats(doc, res.url, id);
+ if (typeof microformats.name === 'string') {
+ name = microformats.name;
+ }
+ if (typeof microformats.logo === 'string') {
+ logo = microformats.logo;
+ }
}
}
@@ -172,6 +215,8 @@ async function discoverClientInformation(logger: Logger, httpRequestService: Htt
logger.error('Error while fetching client information', { err });
if (err instanceof StatusError) {
throw new AuthorizationError('Failed to fetch client information', 'invalid_request');
+ } else if (err instanceof AuthorizationError) {
+ throw err;
} else {
throw new AuthorizationError('Failed to parse client information', 'server_error');
}
diff --git a/packages/backend/test/e2e/oauth.ts b/packages/backend/test/e2e/oauth.ts
index 96a6311a5a..67a9026eb5 100644
--- a/packages/backend/test/e2e/oauth.ts
+++ b/packages/backend/test/e2e/oauth.ts
@@ -28,6 +28,7 @@ const host = `http://127.0.0.1:${port}`;
const clientPort = port + 1;
const redirect_uri = `http://127.0.0.1:${clientPort}/redirect`;
+const redirect_uri2 = `http://127.0.0.1:${clientPort}/redirect2`;
const basicAuthParams: AuthorizationParamsExtended = {
redirect_uri,
@@ -807,65 +808,19 @@ describe('OAuth', () => {
});
});
- // https://indieauth.spec.indieweb.org/#client-information-discovery
describe('Client Information Discovery', () => {
- describe('Redirection', () => {
- const tests: RecordMisklient
- `);
- },
- 'Mixed links': reply => {
- reply.header('Link', '; rel="redirect_uri"');
- reply.send(`
-
-
-
Misklient
- `);
- },
- 'Multiple items in Link header': reply => {
- reply.header('Link', '; rel="redirect_uri",; rel="redirect_uri"');
- reply.send(`
-
-
Misklient
- `);
- },
- 'Multiple items in HTML': reply => {
- reply.send(`
-
-
-
-
Misklient
- `);
- },
- };
-
- for (const [title, replyFunc] of Object.entries(tests)) {
- test(title, async () => {
- sender = replyFunc;
-
- const client = new AuthorizationCode(clientConfig);
-
- const response = await fetch(client.authorizeURL({
- redirect_uri,
- scope: 'write:notes',
- state: 'state',
- code_challenge: 'code',
- code_challenge_method: 'S256',
- } as AuthorizationParamsExtended));
- assert.strictEqual(response.status, 200);
- });
- }
-
- test('No item', async () => {
+ // https://indieauth.spec.indieweb.org/#client-information-discovery
+ describe('JSON client metadata (11 July 2024)', () => {
+ test('Read JSON document', async () => {
sender = (reply): void => {
- reply.send(`
-
-
Misklient
- `);
+ reply.header('content-type', 'application/json');
+ reply.send({
+ client_id: `http://127.0.0.1:${clientPort}/`,
+ client_uri: `http://127.0.0.1:${clientPort}/`,
+ client_name: 'Misklient JSON',
+ logo_uri: '/logo.png',
+ redirect_uris: ['/redirect'],
+ });
};
const client = new AuthorizationCode(clientConfig);
@@ -877,119 +832,294 @@ describe('OAuth', () => {
code_challenge: 'code',
code_challenge_method: 'S256',
} as AuthorizationParamsExtended));
+ assert.strictEqual(response.status, 200);
+ const meta = getMeta(await response.text());
+ assert.strictEqual(meta.clientName, 'Misklient JSON');
+ assert.strictEqual(meta.clientLogo, `http://127.0.0.1:${clientPort}/logo.png`);
+ });
- // direct error because there's no redirect URI to ping
+ test('Merge Link header redirect_uri with JSON redirect_uris', async () => {
+ sender = (reply): void => {
+ reply.header('Link', '; rel="redirect_uri"');
+ reply.header('content-type', 'application/json');
+ reply.send({
+ client_id: `http://127.0.0.1:${clientPort}/`,
+ client_uri: `http://127.0.0.1:${clientPort}/`,
+ client_name: 'Misklient JSON',
+ redirect_uris: ['/redirect'],
+ });
+ };
+
+ const client = new AuthorizationCode(clientConfig);
+
+ const ok1 = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ assert.strictEqual(ok1.status, 200);
+
+ const ok2 = await fetch(client.authorizeURL({
+ redirect_uri: redirect_uri2,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ assert.strictEqual(ok2.status, 200);
+ });
+
+ test('Reject when client_id does not match retrieved URL', async () => {
+ sender = (reply): void => {
+ reply.header('content-type', 'application/json');
+ reply.send({
+ client_id: `http://127.0.0.1:${clientPort}/mismatch`,
+ client_uri: `http://127.0.0.1:${clientPort}/`,
+ redirect_uris: ['/redirect'],
+ });
+ };
+
+ const client = new AuthorizationCode(clientConfig);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ await assertDirectError(response, 400, 'invalid_request');
+ });
+
+ test('Reject when client_uri is not a prefix of client_id', async () => {
+ sender = (reply): void => {
+ reply.header('content-type', 'application/json');
+ reply.send({
+ client_id: `http://127.0.0.1:${clientPort}/`,
+ client_uri: `http://127.0.0.1:${clientPort}/no-prefix/`,
+ redirect_uris: ['/redirect'],
+ });
+ };
+
+ const client = new AuthorizationCode(clientConfig);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ await assertDirectError(response, 400, 'invalid_request');
+ });
+
+ test('Reject when JSON metadata has no redirect_uris and no Link header', async () => {
+ sender = (reply): void => {
+ reply.header('content-type', 'application/json');
+ reply.send({
+ client_id: `http://127.0.0.1:${clientPort}/`,
+ client_uri: `http://127.0.0.1:${clientPort}/`,
+ client_name: 'Misklient JSON',
+ });
+ };
+
+ const client = new AuthorizationCode(clientConfig);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
await assertDirectError(response, 400, 'invalid_request');
});
});
- test('Disallow loopback', async () => {
- await sendEnvUpdateRequest({ key: 'MISSKEY_TEST_CHECK_IP_RANGE', value: '1' });
+ // https://indieauth.spec.indieweb.org/20220212/#client-information-discovery
+ describe('HTML link client metadata (12 Feb 2022)', () => {
+ describe('Redirection', () => {
+ const tests: Record void> = {
+ 'Read HTTP header': reply => {
+ reply.header('Link', '; rel="redirect_uri"');
+ reply.send(`
+
+
Misklient
+ `);
+ },
+ 'Mixed links': reply => {
+ reply.header('Link', '; rel="redirect_uri"');
+ reply.send(`
+
+
+
Misklient
+ `);
+ },
+ 'Multiple items in Link header': reply => {
+ reply.header('Link', '; rel="redirect_uri",; rel="redirect_uri"');
+ reply.send(`
+
+
Misklient
+ `);
+ },
+ 'Multiple items in HTML': reply => {
+ reply.send(`
+
+
+
+
Misklient
+ `);
+ },
+ };
- const client = new AuthorizationCode(clientConfig);
- const response = await fetch(client.authorizeURL({
- redirect_uri,
- scope: 'write:notes',
- state: 'state',
- code_challenge: 'code',
- code_challenge_method: 'S256',
- } as AuthorizationParamsExtended));
- await assertDirectError(response, 400, 'invalid_request');
- });
+ for (const [title, replyFunc] of Object.entries(tests)) {
+ test(title, async () => {
+ sender = replyFunc;
- test('Missing name', async () => {
- sender = (reply): void => {
- reply.header('Link', '; rel="redirect_uri"');
- reply.send();
- };
+ const client = new AuthorizationCode(clientConfig);
- const client = new AuthorizationCode(clientConfig);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ assert.strictEqual(response.status, 200);
+ });
+ }
- const response = await fetch(client.authorizeURL({
- redirect_uri,
- scope: 'write:notes',
- state: 'state',
- code_challenge: 'code',
- code_challenge_method: 'S256',
- } as AuthorizationParamsExtended));
- assert.strictEqual(response.status, 200);
- assert.strictEqual(getMeta(await response.text()).clientName, `http://127.0.0.1:${clientPort}/`);
- });
+ test('No item', async () => {
+ sender = (reply): void => {
+ reply.send(`
+
+
Misklient
+ `);
+ };
- test('With Logo', async () => {
- sender = (reply): void => {
- reply.header('Link', '; rel="redirect_uri"');
- reply.send(`
-
-
- Misklient
- 
-
- `);
- reply.send();
- };
+ const client = new AuthorizationCode(clientConfig);
- const client = new AuthorizationCode(clientConfig);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
- const response = await fetch(client.authorizeURL({
- redirect_uri,
- scope: 'write:notes',
- state: 'state',
- code_challenge: 'code',
- code_challenge_method: 'S256',
- } as AuthorizationParamsExtended));
- assert.strictEqual(response.status, 200);
- const meta = getMeta(await response.text());
- assert.strictEqual(meta.clientName, 'Misklient');
- assert.strictEqual(meta.clientLogo, `http://127.0.0.1:${clientPort}/logo.png`);
- });
+ // direct error because there's no redirect URI to ping
+ await assertDirectError(response, 400, 'invalid_request');
+ });
+ });
- test('Missing Logo', async () => {
- sender = (reply): void => {
- reply.header('Link', '; rel="redirect_uri"');
- reply.send(`
-
-
- Misklient
- `);
- reply.send();
- };
- const client = new AuthorizationCode(clientConfig);
+ test('Disallow loopback', async () => {
+ await sendEnvUpdateRequest({ key: 'MISSKEY_TEST_CHECK_IP_RANGE', value: '1' });
- const response = await fetch(client.authorizeURL({
- redirect_uri,
- scope: 'write:notes',
- state: 'state',
- code_challenge: 'code',
- code_challenge_method: 'S256',
- } as AuthorizationParamsExtended));
- assert.strictEqual(response.status, 200);
- const meta = getMeta(await response.text());
- assert.strictEqual(meta.clientName, 'Misklient');
- assert.strictEqual(meta.clientLogo, undefined);
- });
+ const client = new AuthorizationCode(clientConfig);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ await assertDirectError(response, 400, 'invalid_request');
+ });
- test('Mismatching URL in h-app', async () => {
- sender = (reply): void => {
- reply.header('Link', '; rel="redirect_uri"');
- reply.send(`
-
-
Misklient
- `);
- reply.send();
- };
+ test('Missing name', async () => {
+ sender = (reply): void => {
+ reply.header('Link', '; rel="redirect_uri"');
+ reply.send();
+ };
- const client = new AuthorizationCode(clientConfig);
+ const client = new AuthorizationCode(clientConfig);
- const response = await fetch(client.authorizeURL({
- redirect_uri,
- scope: 'write:notes',
- state: 'state',
- code_challenge: 'code',
- code_challenge_method: 'S256',
- } as AuthorizationParamsExtended));
- assert.strictEqual(response.status, 200);
- assert.strictEqual(getMeta(await response.text()).clientName, `http://127.0.0.1:${clientPort}/`);
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ assert.strictEqual(response.status, 200);
+ assert.strictEqual(getMeta(await response.text()).clientName, `http://127.0.0.1:${clientPort}/`);
+ });
+
+ test('With Logo', async () => {
+ sender = (reply): void => {
+ reply.header('Link', '; rel="redirect_uri"');
+ reply.send(`
+
+
+ Misklient
+
+
+ `);
+ reply.send();
+ };
+
+ const client = new AuthorizationCode(clientConfig);
+
+ const response = await fetch(client.authorizeURL({
+ redirect_uri,
+ scope: 'write:notes',
+ state: 'state',
+ code_challenge: 'code',
+ code_challenge_method: 'S256',
+ } as AuthorizationParamsExtended));
+ assert.strictEqual(response.status, 200);
+ const meta = getMeta(await response.text());
+ assert.strictEqual(meta.clientName, 'Misklient');
+ assert.strictEqual(meta.clientLogo, `http://127.0.0.1:${clientPort}/logo.png`);
+ });
+
+ test('Missing Logo', async () => {
+ sender = (reply): void => {
+ reply.header('Link', '; rel="redirect_uri"');
+ reply.send(`
+
+
+