From d63196b5ee4f66ce74c35d1036786cab017364fe Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Wed, 4 Sep 2024 23:31:58 +0200
Subject: [PATCH] fix(api): :bug: Only decode URI, not full URI component, in
 application's redirect_url

---
 api/api/auth/redirect/index.ts     | 8 +++-----
 api/api/v1/apps/index.ts           | 2 +-
 api/oauth/token/index.ts           | 5 +----
 plugins/openid/routes/authorize.ts | 2 +-
 4 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/api/api/auth/redirect/index.ts b/api/api/auth/redirect/index.ts
index e2dd84eb..ebc0590f 100644
--- a/api/api/auth/redirect/index.ts
+++ b/api/api/auth/redirect/index.ts
@@ -76,11 +76,9 @@ export default apiRoute((app) =>
 
         // Redirect back to application
         return context.redirect(
-            encodeURI(
-                `${redirect_uri}?${new URLSearchParams({
-                    code,
-                }).toString()}`,
-            ),
+            `${redirect_uri}?${new URLSearchParams({
+                code,
+            }).toString()}`,
         );
     }),
 );
diff --git a/api/api/v1/apps/index.ts b/api/api/v1/apps/index.ts
index ab4d4ca3..9d31861f 100644
--- a/api/api/v1/apps/index.ts
+++ b/api/api/v1/apps/index.ts
@@ -87,7 +87,7 @@ export default apiRoute((app) =>
                 .insert(Applications)
                 .values({
                     name: client_name || "",
-                    redirectUri: decodeURIComponent(redirect_uris) || "",
+                    redirectUri: decodeURI(redirect_uris) || "",
                     scopes: scopes || "read",
                     website: website || null,
                     clientId: randomString(32, "base64url"),
diff --git a/api/oauth/token/index.ts b/api/oauth/token/index.ts
index 2c249350..f0e37a3e 100644
--- a/api/oauth/token/index.ts
+++ b/api/oauth/token/index.ts
@@ -112,10 +112,7 @@ export default apiRoute((app) =>
                         where: (token, { eq, and }) =>
                             and(
                                 eq(token.code, code),
-                                eq(
-                                    token.redirectUri,
-                                    decodeURIComponent(redirect_uri),
-                                ),
+                                eq(token.redirectUri, decodeURI(redirect_uri)),
                                 eq(token.clientId, client_id),
                             ),
                     });
diff --git a/plugins/openid/routes/authorize.ts b/plugins/openid/routes/authorize.ts
index cff8322e..a934ad66 100644
--- a/plugins/openid/routes/authorize.ts
+++ b/plugins/openid/routes/authorize.ts
@@ -303,7 +303,7 @@ export default (plugin: PluginType) =>
                 redirectUri.searchParams.append("code", code);
                 state && redirectUri.searchParams.append("state", state);
 
-                return context.redirect(encodeURI(redirectUri.toString()));
+                return context.redirect(redirectUri.toString());
             },
         ),
     );