compliance(pkce): throw InvalidRequestError if code request contains unsupported code challenge method

jankapunkt · jankapunkt · commit 2411f92993e9 · 2022-11-27T11:54:35.000+01:00
diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
@@ -21,6 +21,7 @@ const UnauthorizedClientError = require('../errors/unauthorized-client-error');
 const isFormat = require('@node-oauth/formats');
 const tokenUtil = require('../utils/token-util');
 const url = require('url');
+const pkce = require('../pkce/pkce');
 
 /**
  * Response types.
@@ -381,9 +382,18 @@ AuthorizeHandler.prototype.getCodeChallenge = function(request) {
 /**
  * Get code challenge method from request or defaults to plain.
  * https://www.rfc-editor.org/rfc/rfc7636#section-4.3
+ *
+ * @throws {InvalidRequestError} if request contains unsupported code_challenge_method
+ *  (see https://www.rfc-editor.org/rfc/rfc7636#section-4.4)
  */
 AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) {
-  return request.body.code_challenge_method || 'plain';
+  const algorithm = request.body.code_challenge_method;
+
+  if (algorithm && !pkce.isValidMethod(algorithm)) {
+    throw new InvalidRequestError(`Invalid request: transform algorithm '${algorithm}' not supported`);
+  }
+
+  return algorithm || 'plain';
 };
 
 /**
diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js
@@ -1316,6 +1316,26 @@ describe('AuthorizeHandler integration', function() {
       codeChallengeMethod.should.equal('S256');
     });
 
+    it('should throw if the code challenge method is not supported', async function () {
+      const model = {
+        getAccessToken: function() {},
+        getClient: function() {},
+        saveAuthorizationCode: function() {}
+      };
+      const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+      const request = new Request({ body: {code_challenge_method: 'foo'}, headers: {}, method: {}, query: {} });
+
+      try {
+        handler.getCodeChallengeMethod(request);
+
+        should.fail();
+      } catch (e) {
+        // defined in RFC 7636 - 4.4
+        e.should.be.an.instanceOf(InvalidRequestError);
+        e.message.should.equal('Invalid request: transform algorithm \'foo\' not supported');
+      }
+    });
+
     it('should get default code challenge method plain if missing', function() {
       const model = {
         getAccessToken: function() {},
