fixing issue "URL query parameters do not get removed in htu field in…

…rupt#1842"
diegoaraujo · Jan 25, 2022 · 3e21a81 · 3e21a81
1 parent 93ac2d4
commit 3e21a81
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/packages/core/src/authenticatedFetch/dpopUtils.spec.ts b/packages/core/src/authenticatedFetch/dpopUtils.spec.ts
@@ -66,6 +66,19 @@ describe("createDpopHeader", () => {
     expect(payload.htu).toBe("https://some.resource/");
   });
 
+  it("creates a JWT with 'htu' that needs to be normalized", async () => {
+    const header = await createDpopHeader(
+      "https://user:[email protected]/?query#hash",
+      "GET",
+      await mockKeyPair()
+    );
+    const { payload } = await jwtVerify(header, (await mockJwk()).publicKey);
+    expect(payload.htm).toBe("GET");
+    expect(payload.jti).toBeDefined();
+    // The IRI is normalized, hence the trailing '/'
+    expect(payload.htu).toBe("https://some.resource/");
+  });
+
   it("creates a JWT with the appropriate protected header", async () => {
     const header = await createDpopHeader(
       "https://some.resource",

diff --git a/packages/core/src/authenticatedFetch/dpopUtils.ts b/packages/core/src/authenticatedFetch/dpopUtils.ts
@@ -30,11 +30,12 @@ import { PREFERRED_SIGNING_ALG } from "../constant";
  * @returns The normalized URL as a string.
  * @hidden
  */
-function removeHashUsernameAndPassword(audience: string): string {
+function normalizeHTU(audience: string): string {
   const cleanedAudience = new URL(audience);
   cleanedAudience.hash = "";
   cleanedAudience.username = "";
   cleanedAudience.password = "";
+  cleanedAudience.search = "";
   return cleanedAudience.toString();
 }
 
@@ -58,7 +59,7 @@ export async function createDpopHeader(
   dpopKey: KeyPair
 ): Promise<string> {
   return new SignJWT({
-    htu: removeHashUsernameAndPassword(audience),
+    htu: normalizeHTU(audience),
     htm: method.toUpperCase(),
     jti: v4(),
   })