fix(api): 🐛 Only decode URI, not full URI component, in application's redirect_url

2025-12-06 08:28:19 +01:00 · 2024-09-04 23:31:58 +02:00 · 2024-09-04 23:31:58 +02:00 · d63196b5ee
parent 53184bbe99
commit d63196b5ee
4 changed files with 6 additions and 11 deletions
--- a/api/api/auth/redirect/index.ts
+++ b/api/api/auth/redirect/index.ts
@ -76,11 +76,9 @@ export default apiRoute((app) =>

        // Redirect back to application
        return context.redirect(
-            encodeURI(
-                `${redirect_uri}?${new URLSearchParams({
-                    code,
-                }).toString()}`,
-            ),
+            `${redirect_uri}?${new URLSearchParams({
+                code,
+            }).toString()}`,
        );
    }),
 );
--- a/api/api/v1/apps/index.ts
+++ b/api/api/v1/apps/index.ts
@ -87,7 +87,7 @@ export default apiRoute((app) =>
                .insert(Applications)
                .values({
                    name: client_name || "",
-                    redirectUri: decodeURIComponent(redirect_uris) || "",
+                    redirectUri: decodeURI(redirect_uris) || "",
                    scopes: scopes || "read",
                    website: website || null,
                    clientId: randomString(32, "base64url"),
--- a/api/oauth/token/index.ts
+++ b/api/oauth/token/index.ts
@ -112,10 +112,7 @@ export default apiRoute((app) =>
                        where: (token, { eq, and }) =>
                            and(
                                eq(token.code, code),
-                                eq(
-                                    token.redirectUri,
-                                    decodeURIComponent(redirect_uri),
-                                ),
+                                eq(token.redirectUri, decodeURI(redirect_uri)),
                                eq(token.clientId, client_id),
                            ),
                    });
--- a/plugins/openid/routes/authorize.ts
+++ b/plugins/openid/routes/authorize.ts
@ -303,7 +303,7 @@ export default (plugin: PluginType) =>
                redirectUri.searchParams.append("code", code);
                state && redirectUri.searchParams.append("state", state);

-                return context.redirect(encodeURI(redirectUri.toString()));
+                return context.redirect(redirectUri.toString());
            },
        ),
    );