fix: Check grant_type on token requests

joachimvh · joachimvh · commit 71e83a0cd3c3 · 2025-04-15T09:30:30.000+02:00
Not sure why this was commented out.
I might accidentally discover why at some point in the future
after much frustration.
diff --git a/packages/uma/src/dialog/Input.ts b/packages/uma/src/dialog/Input.ts
@@ -7,6 +7,7 @@ import { Permission } from "../views/Permission";
  */
 export const DialogInput = ({
   "@context": $(string),
+  grant_type: $(string),
   ticket: $(string),
   claim_token: $(string),
   claim_token_format: $(string), // TODO: switch to array of claims objects with unknown structure
diff --git a/packages/uma/src/routes/Token.ts b/packages/uma/src/routes/Token.ts
@@ -21,18 +21,18 @@ export class TokenRequestHandler extends HttpHandler {
     this.logger.info(`Received token request.`);
     const params = input.request.body;
 
-    // if (params['grant_type'] !== 'urn:ietf:params:oauth:grant-type:uma-ticket') {
-    //   throw new BadRequestHttpError(
-    //     `Expected 'grant_type' to be set to 'urn:ietf:params:oauth:grant-type:uma-ticket'
-    //   `);
-    // }
-
     try {
       reType(params, DialogInput);
     } catch (e) {
       throw new BadRequestHttpError(`Invalid token request body: ${e instanceof Error ? e.message : ''}`);
     }
 
+    if (params['grant_type'] !== 'urn:ietf:params:oauth:grant-type:uma-ticket') {
+      throw new BadRequestHttpError(
+        `Expected 'grant_type' to be set to 'urn:ietf:params:oauth:grant-type:uma-ticket'
+      `);
+    }
+
     try {
       const tokenResponse = await this.negotiator.negotiate(params);
 
