From edf22fba1ca8fb21e528c6755f74ae48a9d6704b Mon Sep 17 00:00:00 2001
From: Or Gaizer <gaizeror@gmail.com>
Date: Mon, 25 Apr 2022 15:10:41 +0300
Subject: [PATCH] fix: client schema invalidation code not set

Co-authored-by: Or Gaizer <or.gaizer@transmitsecurity.com>
Co-authored-by: Filip Skokan <panva.ip@gmail.com>
---
 lib/helpers/client_schema.js               |  4 +--
 test/configuration/client_metadata.test.js | 37 ++++++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
index d6a877b41..654514f2e 100644
--- a/lib/helpers/client_schema.js
+++ b/lib/helpers/client_schema.js
@@ -593,11 +593,11 @@ module.exports = function getSchema(provider) {
 
             if (this.grant_types.includes('implicit')) {
               if (protocol === 'http:') {
-                this.invalidate(`${label} for web clients using implicit flow MUST only register URLs using the https scheme', 'implicit-force-https`);
+                this.invalidate(`${label} for web clients using implicit flow MUST only register URLs using the https scheme`, 'implicit-force-https');
               }
 
               if (hostname === 'localhost') {
-                this.invalidate(`${label} for web clients using implicit flow must not be using localhost', 'implicit-forbid-localhost`);
+                this.invalidate(`${label} for web clients using implicit flow must not be using localhost`, 'implicit-forbid-localhost');
               }
             }
             break;
diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
index f0c56f7d6..a2b244dc1 100644
--- a/test/configuration/client_metadata.test.js
+++ b/test/configuration/client_metadata.test.js
@@ -1,6 +1,7 @@
 const { strict: assert } = require('assert');
 const util = require('util');
 
+const sinon = require('sinon');
 const { expect } = require('chai');
 const camelCase = require('lodash/camelCase');
 const merge = require('lodash/merge');
@@ -370,6 +371,42 @@ describe('Client metadata validation', () => {
       grant_types: ['implicit'],
       response_types: ['id_token'],
     });
+    it('has an schema invalidation hook for forcing https on implicit', async () => {
+      const sandbox = sinon.createSandbox();
+      sandbox.spy(DefaultProvider.Client.Schema.prototype, 'invalidate');
+      await addClient({
+        grant_types: ['implicit'],
+        response_types: ['id_token'],
+        redirect_uris: ['http://foo/bar'],
+      }).then(() => {
+        assert(false);
+      }, () => {
+        const spy = DefaultProvider.Client.Schema.prototype.invalidate;
+        expect(spy).to.have.property('calledOnce', true);
+        const call = spy.getCall(0);
+        const [, code] = call.args;
+        expect(code).to.eql('implicit-force-https');
+      }).finally(() => {
+        sandbox.restore();
+      });
+    });
+    it('has an schema invalidation hook for preventing localhost', async () => {
+      const sandbox = sinon.createSandbox();
+      sandbox.spy(DefaultProvider.Client.Schema.prototype, 'invalidate');
+      await addClient({
+        grant_types: ['implicit'],
+        response_types: ['id_token'],
+        redirect_uris: ['https://localhost'],
+      }).then(() => {
+        assert(false);
+      }, () => {
+        const spy = DefaultProvider.Client.Schema.prototype.invalidate;
+        expect(spy).to.have.property('calledOnce', true);
+        const call = spy.getCall(0);
+        const [, code] = call.args;
+        expect(code).to.eql('implicit-forbid-localhost');
+      });
+    });
   });
 
   context('post_logout_redirect_uris', function () {