fix: encode client_secret_basic - _ . ! ~ * ' ( ) characters

Because encodeURIComponent() encodes everything except alphanumericals and `- _ . ! ~ * ' ( )` these need to be encoded explicitly similar to how the resulting `%20' is replaced with '+' This is as per RFC6749 Section 2.3.1 and Appendix B
panva · Jan 5, 2024 · 5a2ea80 · 5a2ea80
1 parent 9d3cfb8
commit 5a2ea80
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/lib/helpers/client.js b/lib/helpers/client.js
@@ -9,7 +9,26 @@ const request = require('./request');
 const { keystores } = require('./weak_cache');
 const merge = require('./merge');
 
-const formUrlEncode = (value) => encodeURIComponent(value).replace(/%20/g, '+');
+function formUrlEncode(token) {
+  return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => {
+    switch (substring) {
+      case '-':
+      case '_':
+      case '.':
+      case '!':
+      case '~':
+      case '*':
+      case "'":
+      case '(':
+      case ')':
+        return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`;
+      case '%20':
+        return '+';
+      default:
+        throw new Error();
+    }
+  });
+}
 
 async function clientAssertion(endpoint, payload) {
   let alg = this[`${endpoint}_endpoint_auth_signing_alg`];

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -2274,7 +2274,7 @@ describe('Client', () => {
         expect(await clientInternal.authFor.call(client, 'token')).to.eql({
           headers: {
             Authorization:
-              'Basic YW4lM0FpZGVudGlmaWVyOnNvbWUrc2VjdXJlKyUyNitub24tc3RhbmRhcmQrc2VjcmV0',
+              'Basic YW4lM0FpZGVudGlmaWVyOnNvbWUrc2VjdXJlKyUyNitub24lMkRzdGFuZGFyZCtzZWNyZXQ=',
           },
         });
       });