diff --git a/packages/backend/package.json b/packages/backend/package.json index bf340925a6..45704ecedc 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -128,7 +128,7 @@ "otpauth": "9.1.2", "parse5": "7.1.2", "pg": "8.11.0", - "pkce-challenge": "^3.1.0", + "pkce-challenge": "^4.0.1", "probe-image-size": "7.2.3", "promise-limit": "2.7.0", "pug": "3.0.2", diff --git a/packages/backend/test/e2e/oauth.ts b/packages/backend/test/e2e/oauth.ts index c0efb73135..32060f3422 100644 --- a/packages/backend/test/e2e/oauth.ts +++ b/packages/backend/test/e2e/oauth.ts @@ -35,6 +35,7 @@ function getClient(): AuthorizationCode<'client_id'> { return new AuthorizationCode({ client: { id: `http://127.0.0.1:${clientPort}/`, + secret: '', }, auth: { tokenHost: host, @@ -113,7 +114,7 @@ describe('OAuth', () => { }); test('Full flow', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -168,8 +169,8 @@ describe('OAuth', () => { test('Two concurrent flows', async () => { const client = getClient(); - const pkceAlice = pkceChallenge.default(128); - const pkceBob = pkceChallenge.default(128); + const pkceAlice = await pkceChallenge(128); + const pkceBob = await pkceChallenge(128); const responseAlice = await fetch(client.authorizeURL({ redirect_uri, @@ -285,8 +286,9 @@ describe('OAuth', () => { assert.strictEqual((await response.json() as OAuthErrorResponse).error, 'invalid_request'); }); + // TODO: Use precomputed challenge/verifier set for this one for deterministic test test('Verify PKCE', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -405,7 +407,7 @@ describe('OAuth', () => { }); test('Partially known scopes', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -455,7 +457,7 @@ describe('OAuth', () => { }); test('Duplicated scopes', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -487,7 +489,7 @@ describe('OAuth', () => { }); test('Scope check by API', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -527,7 +529,7 @@ describe('OAuth', () => { }); test('Authorization header', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -624,7 +626,7 @@ describe('OAuth', () => { }); test('Invalid redirect_uri at token endpoint', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -651,7 +653,7 @@ describe('OAuth', () => { }); test('Invalid redirect_uri including the valid one at token endpoint', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); @@ -678,7 +680,7 @@ describe('OAuth', () => { }); test('No redirect_uri at token endpoint', async () => { - const { code_challenge, code_verifier } = pkceChallenge.default(128); + const { code_challenge, code_verifier } = await pkceChallenge(128); const client = getClient(); diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d5be7fa4d7..2928b3c4ea 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -300,8 +300,8 @@ importers: specifier: 8.11.0 version: 8.11.0 pkce-challenge: - specifier: ^3.1.0 - version: 3.1.0 + specifier: ^4.0.1 + version: 4.0.1 probe-image-size: specifier: 7.2.3 version: 7.2.3 @@ -7722,7 +7722,7 @@ packages: /@types/http-link-header@1.0.3: resolution: {integrity: sha512-y8HkoD/vyid+5MrJ3aas0FvU3/BVBGcyG9kgxL0Zn4JwstA8CglFPnrR0RuzOjRCXwqzL5uxWC2IO7Ub0rMU2A==} dependencies: - '@types/node': 20.2.5 + '@types/node': 20.3.1 dev: true /@types/istanbul-lib-coverage@2.0.4: @@ -10660,10 +10660,6 @@ packages: shebang-command: 2.0.0 which: 2.0.2 - /crypto-js@4.1.1: - resolution: {integrity: sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw==} - dev: false - /crypto-random-string@2.0.0: resolution: {integrity: sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==} engines: {node: '>=8'} @@ -17156,10 +17152,9 @@ packages: engines: {node: '>= 6'} dev: true - /pkce-challenge@3.1.0: - resolution: {integrity: sha512-bQ/0XPZZ7eX+cdAkd61uYWpfMhakH3NeteUF1R8GNa+LMqX8QFAkbCLqq+AYAns1/ueACBu/BMWhrlKGrdvGZg==} - dependencies: - crypto-js: 4.1.1 + /pkce-challenge@4.0.1: + resolution: {integrity: sha512-WGmtS1stcStsvRwNXix3iR1ujFcDaJR+sEODRa2ZFruT0lM4lhPAFTL5SUpqD5vTJdRlgtuMQhcp1kIEJx4LUw==} + engines: {node: '>=16.20.0'} dev: false /pkg-dir@3.0.0: