server: handle invalid URLs in comparison
This commit is contained in:
parent
bdcec2b8a7
commit
de927e1f30
1 changed files with 10 additions and 2 deletions
|
@ -4,12 +4,20 @@ import { URL } from 'node:url';
|
|||
* Compares two URLs for OAuth. The first parameter is the trusted URL
|
||||
* which decides how the comparison is conducted.
|
||||
*
|
||||
* Invalid URLs are never equal.
|
||||
*
|
||||
* Implements the current draft-ietf-oauth-security-topics-21 § 4.1.3
|
||||
* (published 2022-09-27)
|
||||
*/
|
||||
export function compareUrl(trusted: string, untrusted: string): boolean {
|
||||
let trustedUrl = new URL(trusted);
|
||||
let untrustedUrl = new URL(untrusted);
|
||||
let trustedUrl, untrustedUrl;
|
||||
|
||||
try {
|
||||
trustedUrl = new URL(trusted);
|
||||
untrustedUrl = new URL(untrusted);
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Excerpt from RFC 8252:
|
||||
//> Loopback redirect URIs use the "http" scheme and are constructed with
|
||||
|
|
Loading…
Reference in a new issue