From b93e6a1657fc60f3985bd1d04c1c3c071518c504 Mon Sep 17 00:00:00 2001 From: Ryan Kelly Date: Fri, 27 Apr 2018 14:33:11 +1000 Subject: [PATCH] fix(validation): Allow redirect uris with existing query params. (#548); r=philbooth --- lib/validators.js | 2 +- test/api.js | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/lib/validators.js b/lib/validators.js index 6c36b74fe..2c2f4f2ae 100644 --- a/lib/validators.js +++ b/lib/validators.js @@ -34,7 +34,7 @@ exports.scope = Joi.string() exports.redirectUri = Joi.string() .max(256) - .regex(/^[a-zA-Z0-9\-_\/.:]+$/); + .regex(/^[a-zA-Z0-9\-_\/.:?=&]+$/); // taken from mozilla/persona/lib/validate.js exports.assertion = Joi.string() diff --git a/test/api.js b/test/api.js index 19bd39d80..a41b2cff9 100644 --- a/test/api.js +++ b/test/api.js @@ -599,6 +599,22 @@ describe('/v1', function() { assert.equal(actual, expected); }); }); + + it('can have query parameters', function() { + mockAssertion().reply(200, VERIFY_GOOD); + return Server.api.post({ + url: '/authorization', + payload: authParams({ + client_id: 'dcdb5ae7add825d2' + }) + }).then(function(res) { + assert.equal(res.statusCode, 200); + assertSecurityHeaders(res); + var expected = 'https://example.domain/return?foo=bar'; + var actual = res.result.redirect.substr(0, expected.length); + assert.equal(actual, expected); + }); + }); }); describe('?state', function() { @@ -1961,6 +1977,22 @@ describe('/v1', function() { }); }); + it('works with query parameters', () => { + return getCode(clientId).then((code) => { + return Server.api.post({ + url: '/token', + payload: { + client_id: clientId, + client_secret: secret, + code: code, + redirect_uri: 'https://example.com?extra=params&go=here' + } + }); + }).then((res) => { + assert.equal(res.statusCode, 200); + }); + }); + it('is validated', () => { return getCode(clientId).then((code) => { return Server.api.post({