From 8c52004a7973d6521150370328a3a8fb6085a1c3 Mon Sep 17 00:00:00 2001
From: mrw1593 <botahamec@outlook.com>
Date: Sun, 2 Jul 2023 12:02:26 -0400
Subject: More secure redirect URIs

---
 src/api/clients.rs   | 10 ++++++++++
 src/models/client.rs | 14 ++++++++++++++
 2 files changed, 24 insertions(+)

(limited to 'src')

diff --git a/src/api/clients.rs b/src/api/clients.rs
index 27ef995..3f906bb 100644
--- a/src/api/clients.rs
+++ b/src/api/clients.rs
@@ -418,6 +418,16 @@ async fn update_client_redirect_uris(
 	let db = db.get_ref();
 	let id = *id;
 
+	for uri in body.0.iter() {
+		if uri.scheme() != "https" {
+			yeet!(CreateClientError::NonHttpsUri.into());
+		}
+
+		if uri.fragment().is_some() {
+			yeet!(CreateClientError::UriFragment.into())
+		}
+	}
+
 	if !db::client_id_exists(db, id).await.unwrap() {
 		yeet!(ClientNotFound::new(id).into());
 	}
diff --git a/src/models/client.rs b/src/models/client.rs
index 56b0ae6..38be37f 100644
--- a/src/models/client.rs
+++ b/src/models/client.rs
@@ -60,6 +60,10 @@ pub enum CreateClientError {
 	NoSecret,
 	#[error("Only confidential clients may be trusted")]
 	TrustedError,
+	#[error("Redirect URIs must not include a fragment component")]
+	UriFragment,
+	#[error("Redirect URIs must use HTTPS")]
+	NonHttpsUri,
 }
 
 impl ResponseError for CreateClientError {
@@ -93,6 +97,16 @@ impl Client {
 			yeet!(CreateClientError::TrustedError.into());
 		}
 
+		for redirect_uri in redirect_uris {
+			if redirect_uri.scheme() != "https" {
+				yeet!(CreateClientError::NonHttpsUri.into())
+			}
+
+			if redirect_uri.fragment().is_some() {
+				yeet!(CreateClientError::UriFragment.into())
+			}
+		}
+
 		Ok(Self {
 			id,
 			alias: Box::from(alias),
-- 
cgit v1.2.3