From 0e7e46ab4b0c72dfe8d6a02bbae2e5861b028f35 Mon Sep 17 00:00:00 2001 From: Winter Date: Mon, 18 Aug 2025 20:46:01 -0400 Subject: [PATCH] add option to disable some URL checks Change-Id: uqplmsuzttpnxrsrykowzrtsluyylpkx This is useful for local development. --- helpers/generic.go | 6 +++--- oauth.go | 11 +++++++---- types.go | 14 ++++++++------ 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/helpers/generic.go b/helpers/generic.go index f8b68b2..21e4941 100644 --- a/helpers/generic.go +++ b/helpers/generic.go @@ -36,13 +36,13 @@ func GenerateKey(kidPrefix *string) (jwk.Key, error) { return key, nil } -func IsUrlSafeAndParsed(ustr string) (*url.URL, error) { +func IsUrlSafeAndParsed(ustr string, insecure bool) (*url.URL, error) { u, err := url.Parse(ustr) if err != nil { return nil, err } - if u.Scheme != "https" { + if u.Scheme != "https" && !insecure { return nil, fmt.Errorf("input url is not https") } @@ -54,7 +54,7 @@ func IsUrlSafeAndParsed(ustr string) (*url.URL, error) { return nil, fmt.Errorf("url user was not empty") } - if u.Port() != "" { + if u.Port() != "" && !insecure { return nil, fmt.Errorf("url port was not empty") } diff --git a/oauth.go b/oauth.go index 1a547a6..8a7f7ac 100644 --- a/oauth.go +++ b/oauth.go @@ -24,6 +24,7 @@ type Client struct { clientKid string clientId string redirectUri string + insecure bool } type ClientArgs struct { @@ -31,6 +32,7 @@ type ClientArgs struct { ClientJwk jwk.Key ClientId string RedirectUri string + Insecure bool } func NewClient(args ClientArgs) (*Client, error) { @@ -61,11 +63,12 @@ func NewClient(args ClientArgs) (*Client, error) { clientPrivateKey: clientPkey, clientId: args.ClientId, redirectUri: args.RedirectUri, + insecure: args.Insecure, }, nil } func (c *Client) ResolvePdsAuthServer(ctx context.Context, ustr string) (string, error) { - u, err := helpers.IsUrlSafeAndParsed(ustr) + u, err := helpers.IsUrlSafeAndParsed(ustr, c.insecure) if err != nil { return "", err } @@ -106,7 +109,7 @@ func (c *Client) ResolvePdsAuthServer(ctx context.Context, ustr string) (string, } func (c *Client) FetchAuthServerMetadata(ctx context.Context, ustr string) (*OauthAuthorizationMetadata, error) { - u, err := helpers.IsUrlSafeAndParsed(ustr) + u, err := helpers.IsUrlSafeAndParsed(ustr, c.insecure) if err != nil { return nil, err } @@ -139,7 +142,7 @@ func (c *Client) FetchAuthServerMetadata(ctx context.Context, ustr string) (*Oau return nil, fmt.Errorf("could not unmarshal authserver metadata: %w", err) } - if err := metadata.Validate(u); err != nil { + if err := metadata.Validate(u, c.insecure); err != nil { return nil, fmt.Errorf("could not validate authserver metadata: %w", err) } @@ -261,7 +264,7 @@ func (c *Client) SendParAuthRequest(ctx context.Context, authServerUrl string, a params.Set("login_hint", loginHint) } - _, err = helpers.IsUrlSafeAndParsed(parUrl) + _, err = helpers.IsUrlSafeAndParsed(parUrl, c.insecure) if err != nil { return nil, err } diff --git a/types.go b/types.go index d5937ff..4847cf2 100644 --- a/types.go +++ b/types.go @@ -97,7 +97,7 @@ func (oam *OauthAuthorizationMetadata) UnmarshalJSON(b []byte) error { return nil } -func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL) error { +func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL, insecure bool) error { if fetch_url == nil { return fmt.Errorf("fetch_url was nil") } @@ -111,12 +111,14 @@ func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL) error { return fmt.Errorf("issuer hostname does not match fetch url hostname") } - if iu.Scheme != "https" { - return fmt.Errorf("issuer url is not https") - } + if !insecure { + if iu.Scheme != "https" { + return fmt.Errorf("issuer url is not https") + } - if iu.Port() != "" { - return fmt.Errorf("issuer port is not empty") + if iu.Port() != "" { + return fmt.Errorf("issuer port is not empty") + } } if iu.Path != "" && iu.Path != "/" { -- 2.43.0