Remove the URL query parameters from the HTU field

This fixes issue #1842. The HTU field is now build by addition rather than by substraction: the origin and path from the target URL are concatenated to build the DPoP header `htu` claim, rather than stripping elements from the target URL. Co-authored-by: Diego Albuquerque <[email protected]>
inrupt · Jan 26, 2022 · 2dbc30b · 2dbc30b
1 parent 4e705c5
commit 2dbc30b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,10 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 
 The following changes have been implemented but not released yet:
 
-- 
+### Bugfixes
+
+- The HTU field of the DPoP header is now normalized to remove the query parameters.
+Thanks to @diegoaraujo for his first contribution to the project! 
 
 ## 1.11.3 - 2021-08-24
 

diff --git a/packages/core/src/authenticatedFetch/dpopUtils.spec.ts b/packages/core/src/authenticatedFetch/dpopUtils.spec.ts
@@ -66,6 +66,19 @@ describe("createDpopHeader", () => {
     expect(payload.htu).toBe("https://some.resource/");
   });
 
+  it("creates a JWT with 'htu' that needs to be normalized", async () => {
+    const header = await createDpopHeader(
+      "https://user:[email protected]/?query#hash",
+      "GET",
+      await mockKeyPair()
+    );
+    const { payload } = await jwtVerify(header, (await mockJwk()).publicKey);
+    expect(payload.htm).toBe("GET");
+    expect(payload.jti).toBeDefined();
+    // The IRI is normalized, hence the trailing '/'
+    expect(payload.htu).toBe("https://some.resource/");
+  });
+
   it("creates a JWT with the appropriate protected header", async () => {
     const header = await createDpopHeader(
       "https://some.resource",

diff --git a/packages/core/src/authenticatedFetch/dpopUtils.ts b/packages/core/src/authenticatedFetch/dpopUtils.ts
@@ -30,12 +30,9 @@ import { PREFERRED_SIGNING_ALG } from "../constant";
  * @returns The normalized URL as a string.
  * @hidden
  */
-function removeHashUsernameAndPassword(audience: string): string {
-  const cleanedAudience = new URL(audience);
-  cleanedAudience.hash = "";
-  cleanedAudience.username = "";
-  cleanedAudience.password = "";
-  return cleanedAudience.toString();
+function normalizeHTU(audience: string): string {
+  const audienceUrl = new URL(audience);
+  return new URL(audienceUrl.pathname, audienceUrl.origin).toString();
 }
 
 export type KeyPair = {
@@ -58,7 +55,7 @@ export async function createDpopHeader(
   dpopKey: KeyPair
 ): Promise<string> {
   return new SignJWT({
-    htu: removeHashUsernameAndPassword(audience),
+    htu: normalizeHTU(audience),
     htm: method.toUpperCase(),
     jti: v4(),
   })