From 5a2ea80ef5e59ec0c03dbd97d82f551e24a9d348 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Fri, 5 Jan 2024 15:32:41 +0100 Subject: [PATCH] fix: encode client_secret_basic - _ . ! ~ * ' ( ) characters Because encodeURIComponent() encodes everything except alphanumericals and `- _ . ! ~ * ' ( )` these need to be encoded explicitly similar to how the resulting `%20' is replaced with '+' This is as per RFC6749 Section 2.3.1 and Appendix B --- lib/helpers/client.js | 21 ++++++++++++++++++++- test/client/client_instance.test.js | 2 +- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/helpers/client.js b/lib/helpers/client.js index 8c2f7fc7..65c7fdbf 100644 --- a/lib/helpers/client.js +++ b/lib/helpers/client.js @@ -9,7 +9,26 @@ const request = require('./request'); const { keystores } = require('./weak_cache'); const merge = require('./merge'); -const formUrlEncode = (value) => encodeURIComponent(value).replace(/%20/g, '+'); +function formUrlEncode(token) { + return encodeURIComponent(token).replace(/(?:[-_.!~*'()]|%20)/g, (substring) => { + switch (substring) { + case '-': + case '_': + case '.': + case '!': + case '~': + case '*': + case "'": + case '(': + case ')': + return `%${substring.charCodeAt(0).toString(16).toUpperCase()}`; + case '%20': + return '+'; + default: + throw new Error(); + } + }); +} async function clientAssertion(endpoint, payload) { let alg = this[`${endpoint}_endpoint_auth_signing_alg`]; diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js index 75301038..5fee8e41 100644 --- a/test/client/client_instance.test.js +++ b/test/client/client_instance.test.js @@ -2274,7 +2274,7 @@ describe('Client', () => { expect(await clientInternal.authFor.call(client, 'token')).to.eql({ headers: { Authorization: - 'Basic YW4lM0FpZGVudGlmaWVyOnNvbWUrc2VjdXJlKyUyNitub24tc3RhbmRhcmQrc2VjcmV0', + 'Basic YW4lM0FpZGVudGlmaWVyOnNvbWUrc2VjdXJlKyUyNitub24lMkRzdGFuZGFyZCtzZWNyZXQ=', }, }); });