Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL query parameters do not get removed in htu field #1842

Closed
1 task done
joachimvh opened this issue Dec 10, 2021 · 3 comments
Closed
1 task done

URL query parameters do not get removed in htu field #1842

joachimvh opened this issue Dec 10, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@joachimvh
Copy link

Search terms you've used

htu

Impacted package

Which packages do you think might be impacted by the bug ?

  • solid-client-authn-core

Bug description

The htu field of the access token is generated here. Actual code of the removeHashUsernameAndPassword function is as follows:

function removeHashUsernameAndPassword(audience: string): string {
  const cleanedAudience = new URL(audience);
  cleanedAudience.hash = "";
  cleanedAudience.username = "";
  cleanedAudience.password = "";
  return cleanedAudience.toString();
}

The issue is that the above code does not clear the query parameters of the URL. http://example.com/?query remains unchanged after going through that function, but the htu parameter is defined as

The HTTP URI used for the request, without query and fragment parts

To Reproduce

See CommunitySolidServer/Recipes#3

Or just run the code above with any URL containing a query parameter.

Expected result

htu: http://example.com/

Actual result

htu: http://example.com/?query
@joachimvh joachimvh added the bug Something isn't working label Dec 10, 2021
@joachimvh joachimvh mentioned this issue Dec 10, 2021
Open
@NSeydoux
Copy link
Contributor

Thanks for reporting @joachimvh , we'll fix this soon.

@diegoaraujo
Copy link
Contributor

Any news?

diegoaraujo added a commit to diegoaraujo/solid-client-authn-js that referenced this issue Jan 25, 2022
@diegoaraujo
fixing issue "URL query parameters do not get removed in htu field in…
b26d0cf 
…rupt#1842"
diegoaraujo added a commit to diegoaraujo/solid-client-authn-js that referenced this issue Jan 25, 2022
@diegoaraujo
fixing issue "URL query parameters do not get removed in htu field in…
3e21a81 
…rupt#1842"
@NSeydoux NSeydoux mentioned this issue Jan 26, 2022
Merged
3 tasks
NSeydoux pushed a commit that referenced this issue Jan 26, 2022
@diegoaraujo @NSeydoux
fixing issue "URL query parameters do not get removed in htu field #1842
5ff1c44 
"
NSeydoux added a commit that referenced this issue Jan 26, 2022
@NSeydoux @diegoaraujo
Remove the URL query parameters from the HTU field
2dbc30b 
This fixes issue #1842. The HTU field is now build by addition rather than by substraction: the origin and path from the target URL are concatenated to build the DPoP header `htu` claim, rather than stripping elements from the target URL.

Co-authored-by: Diego Albuquerque <[email protected]>
@ThisIsMissEm
Copy link
Contributor

This was released in 1.11.4 and onwards, sorry we didn't follow up properly on this. We've also just done a fix for the iss parameter in #2103, which should be released soon-ish.

Closing as this is done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ThisIsMissEm @diegoaraujo @joachimvh @NSeydoux