fix(api): 🐛 Only decode URI, not full URI component, in application's redirect_url

api/api/auth/redirect/index.ts

@@ -76,11 +76,9 @@ export default apiRoute((app) =>
 
         // Redirect back to application
         return context.redirect(
-            encodeURI(
             `${redirect_uri}?${new URLSearchParams({
                 code,
             }).toString()}`,
-            ),
         );
     }),
 );

api/api/v1/apps/index.ts

@@ -87,7 +87,7 @@ export default apiRoute((app) =>
                 .insert(Applications)
                 .values({
                     name: client_name || "",
-                    redirectUri: decodeURIComponent(redirect_uris) || "",
+                    redirectUri: decodeURI(redirect_uris) || "",
                     scopes: scopes || "read",
                     website: website || null,
                     clientId: randomString(32, "base64url"),

api/oauth/token/index.ts

@@ -112,10 +112,7 @@ export default apiRoute((app) =>
                         where: (token, { eq, and }) =>
                             and(
                                 eq(token.code, code),
-                                eq(
+                                eq(token.redirectUri, decodeURI(redirect_uri)),
-                                    token.redirectUri,
-                                    decodeURIComponent(redirect_uri),
-                                ),
                                 eq(token.clientId, client_id),
                             ),
                     });

plugins/openid/routes/authorize.ts

@@ -303,7 +303,7 @@ export default (plugin: PluginType) =>
                 redirectUri.searchParams.append("code", code);
                 state && redirectUri.searchParams.append("state", state);
 
-                return context.redirect(encodeURI(redirectUri.toString()));
+                return context.redirect(redirectUri.toString());
             },
         ),
     );