Merge pull request #116 from pks1989/add_custom_params_to_auth_uri

create a way to add some additional params to redirect url
badgateway · Aug 9, 2023 · 588c23b · 588c23b
2 parents b1df783 + 338ecfa
commit 588c23b
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 1 deletion.
diff --git a/src/client/authorization-code.ts b/src/client/authorization-code.ts
@@ -26,6 +26,11 @@ type GetAuthorizeUrlParams = {
    * List of scopes.
    */
   scope?: string[];
+
+  /**
+   * Any parameters listed here will be added to the query string for the authorization server endpoint.
+   */
+  extraParams?: Record<string, string>;
 }
 
 type ValidateResponseResult = {
@@ -66,7 +71,7 @@ export class OAuth2AuthorizationCodeClient {
       this.client.getEndpoint('authorizationEndpoint')
     ]);
 
-    const query: AuthorizationQueryParams = {
+    let query: AuthorizationQueryParams = {
       client_id: this.client.settings.clientId,
       response_type: 'code',
       redirect_uri: params.redirectUri,
@@ -80,6 +85,15 @@ export class OAuth2AuthorizationCodeClient {
       query.scope = params.scope.join(' ');
     }
 
+    const disallowed = Object.keys(query);
+
+    if (params?.extraParams && Object.keys(params.extraParams).filter((key) => disallowed.includes(key)).length > 0) {
+      throw new Error(`The following extraParams are disallowed: '${disallowed.join("', '")}'`);
+    }
+
+    query = {...query, ...params?.extraParams};
+
+
     return authorizationEndpoint + '?' + generateQueryString(query);
 
   }

diff --git a/src/messages.ts b/src/messages.ts
@@ -47,6 +47,7 @@ export type AuthorizationQueryParams = {
   scope?: string;
   code_challenge_method?: 'plain' | 'S256';
   code_challenge?: string;
+  [key: string]: string | undefined;
 }
 
 /**

diff --git a/test/authorization-code.ts b/test/authorization-code.ts
@@ -35,6 +35,75 @@ describe('authorization-code', () => {
         })
       ).to.equal(server.url + '/authorize?' + params.toString());
 
+    });
+    it('should support extraparams', async() => {
+
+      const server = testServer();
+      const client = new OAuth2Client({
+        server: server.url,
+        authorizationEndpoint: '/authorize',
+        clientId: 'test-client-id',
+      });
+
+      const redirectUri = 'http://my-app.example/redirect';
+
+      const params = new URLSearchParams({
+        client_id: 'test-client-id',
+        response_type: 'code',
+        redirect_uri: redirectUri,
+        scope: 'a b',
+        foo: 'bar',
+      });
+
+      expect(
+        await client.authorizationCode.getAuthorizeUri({
+          redirectUri,
+          scope: ['a', 'b'],
+          extraParams: {
+            foo: 'bar'
+          }
+        })
+      ).to.equal(server.url + '/authorize?' + params.toString());
+
+    });
+    it('should throw error when user rewrote params by extraparams', async() => {
+
+      const server = testServer();
+      const client = new OAuth2Client({
+        server: server.url,
+        authorizationEndpoint: '/authorize',
+        clientId: 'test-client-id',
+      });
+
+      const redirectUri = 'http://my-app.example/redirect';
+
+      const params  = {
+        redirectUri,
+        scope: ['a', 'b'],
+        state: 'some-state'
+
+      };
+
+      const extraParams = {
+        foo: 'bar',
+        scope: 'accidentally rewrote core parameter'
+      };
+
+      try {
+        await client.authorizationCode.getAuthorizeUri({
+          ...params,
+          extraParams
+        });
+      } catch (error: any) {
+        expect(error.message).to.equal(
+          'The following extraParams are disallowed: \'client_id\', \'response_type\', \'redirect_uri\', ' +
+             '\'code_challenge_method\', \'code_challenge\', \'state\', \'scope\''
+        );
+        return;
+      }
+
+      expect.fail('Should have thrown');
+
     });
     it('should support PKCE', async() => {