fix(endpoint-token): return 403 if token URL doesn’t match publicatio…

…n URL
getindiekit · Apr 1, 2022 · 807690e · 807690e
1 parent 8720945
commit 807690e
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 14 deletions.
diff --git a/helpers/config/index.js b/helpers/config/index.js
@@ -44,7 +44,7 @@ export const testConfig = async (options) => {
       ...(options.useSyndicator ? ["@indiekit/syndicator-twitter"] : []),
     ],
     publication: {
-      me: process.env.TEST_PUBLICATION_URL,
+      me: options?.publication?.me || process.env.TEST_PUBLICATION_URL,
       postTypes,
       timeZone: "UTC",
     },

diff --git a/packages/endpoint-token/lib/controllers/token.js b/packages/endpoint-token/lib/controllers/token.js
@@ -19,21 +19,27 @@ export const tokenController = (publication) => ({
           .split(/\s+/)[1];
         const accessToken = jwt.verify(bearerToken, process.env.TOKEN_SECRET);
 
+        // Normalize publication and token URLs before comparing
+        const accessTokenMe = getCanonicalUrl(accessToken.me);
+        const publicationMe = getCanonicalUrl(publication.me);
+        const isAuthenticated = accessTokenMe === publicationMe;
+
+        // Publication URL does not match that provided by access token
+        if (!isAuthenticated) {
+          return next(new HttpError(403, "Publication URL does not match that provided by access token"))
+        }
+
         if (
-          getCanonicalUrl(accessToken.me) === getCanonicalUrl(publication.me)
+          request?.headers?.accept &&
+          request.headers.accept.includes("application/json")
         ) {
-          if (
-            request?.headers?.accept &&
-            request.headers.accept.includes("application/json")
-          ) {
-            response.json(accessToken);
-          } else {
-            response.header(
-              "Content-Type",
-              "application/x-www-form-urlencoded"
-            );
-            response.send(new URLSearchParams(accessToken).toString());
-          }
+          response.json(accessToken);
+        } else {
+          response.header(
+            "Content-Type",
+            "application/x-www-form-urlencoded"
+          );
+          response.send(new URLSearchParams(accessToken).toString());
         }
       } catch (error) {
         next(new HttpError(401, `JSON Web Token error: ${error.message}`));

diff --git a/packages/endpoint-token/tests/integration/403-verify-token-error-me-mismatch.js b/packages/endpoint-token/tests/integration/403-verify-token-error-me-mismatch.js
@@ -0,0 +1,17 @@
+import test from "ava";
+import { testServer } from "@indiekit-test/server";
+
+test("Returns 403 if publication URL doesn’t match URL in token", async (t) => {
+  const request = await testServer({
+    publication: {
+      me: 'https://server.example'
+    }
+  });
+  const result = await request
+    .get("/token")
+    .auth(process.env.TEST_TOKEN, { type: "bearer" })
+    .set("Accept", "application/json");
+
+  t.is(result.status, 403);
+  t.is(result.body.error_description, "Publication URL does not match that provided by access token");
+});