fix: client schema invalidation code not set

Co-authored-by: Or Gaizer <or.gaizer@transmitsecurity.com> Co-authored-by: Filip Skokan <panva.ip@gmail.com>
panva · Apr 25, 2022 · edf22fb · edf22fb
1 parent 30c7406
commit edf22fb
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 2 deletions.
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -593,11 +593,11 @@ module.exports = function getSchema(provider) {
 
             if (this.grant_types.includes('implicit')) {
               if (protocol === 'http:') {
-                this.invalidate(`${label} for web clients using implicit flow MUST only register URLs using the https scheme', 'implicit-force-https`);
+                this.invalidate(`${label} for web clients using implicit flow MUST only register URLs using the https scheme`, 'implicit-force-https');
               }
 
               if (hostname === 'localhost') {
-                this.invalidate(`${label} for web clients using implicit flow must not be using localhost', 'implicit-forbid-localhost`);
+                this.invalidate(`${label} for web clients using implicit flow must not be using localhost`, 'implicit-forbid-localhost');
               }
             }
             break;

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -1,6 +1,7 @@
 const { strict: assert } = require('assert');
 const util = require('util');
 
+const sinon = require('sinon');
 const { expect } = require('chai');
 const camelCase = require('lodash/camelCase');
 const merge = require('lodash/merge');
@@ -370,6 +371,42 @@ describe('Client metadata validation', () => {
       grant_types: ['implicit'],
       response_types: ['id_token'],
     });
+    it('has an schema invalidation hook for forcing https on implicit', async () => {
+      const sandbox = sinon.createSandbox();
+      sandbox.spy(DefaultProvider.Client.Schema.prototype, 'invalidate');
+      await addClient({
+        grant_types: ['implicit'],
+        response_types: ['id_token'],
+        redirect_uris: ['http://foo/bar'],
+      }).then(() => {
+        assert(false);
+      }, () => {
+        const spy = DefaultProvider.Client.Schema.prototype.invalidate;
+        expect(spy).to.have.property('calledOnce', true);
+        const call = spy.getCall(0);
+        const [, code] = call.args;
+        expect(code).to.eql('implicit-force-https');
+      }).finally(() => {
+        sandbox.restore();
+      });
+    });
+    it('has an schema invalidation hook for preventing localhost', async () => {
+      const sandbox = sinon.createSandbox();
+      sandbox.spy(DefaultProvider.Client.Schema.prototype, 'invalidate');
+      await addClient({
+        grant_types: ['implicit'],
+        response_types: ['id_token'],
+        redirect_uris: ['https://localhost'],
+      }).then(() => {
+        assert(false);
+      }, () => {
+        const spy = DefaultProvider.Client.Schema.prototype.invalidate;
+        expect(spy).to.have.property('calledOnce', true);
+        const call = spy.getCall(0);
+        const [, code] = call.args;
+        expect(code).to.eql('implicit-forbid-localhost');
+      });
+    });
   });
 
   context('post_logout_redirect_uris', function () {