Added URI validation for subject_token_type in CTE

Author: pmathew92

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

@@ -8,11 +8,23 @@ import com.auth0.android.NetworkErrorException
 import com.auth0.android.dpop.DPoP
 import com.auth0.android.dpop.DPoPException
 import com.auth0.android.dpop.SenderConstraining
-import com.auth0.android.request.*
-import com.auth0.android.request.internal.*
+import com.auth0.android.request.AuthenticationRequest
+import com.auth0.android.request.ErrorAdapter
+import com.auth0.android.request.JsonAdapter
+import com.auth0.android.request.ProfileRequest
+import com.auth0.android.request.PublicKeyCredentials
+import com.auth0.android.request.Request
+import com.auth0.android.request.SignUpRequest
+import com.auth0.android.request.UserData
+import com.auth0.android.request.internal.BaseAuthenticationRequest
+import com.auth0.android.request.internal.BaseRequest
+import com.auth0.android.request.internal.GsonAdapter
 import com.auth0.android.request.internal.GsonAdapter.Companion.forMap
 import com.auth0.android.request.internal.GsonAdapter.Companion.forMapOf
+import com.auth0.android.request.internal.GsonProvider
+import com.auth0.android.request.internal.RequestFactory
 import com.auth0.android.request.internal.ResponseUtils.isNetworkError
+import com.auth0.android.request.internal.validator.CustomTokenExchangeValidator
 import com.auth0.android.result.Challenge
 import com.auth0.android.result.Credentials
 import com.auth0.android.result.DatabaseUser
@@ -758,6 +770,7 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
         organization: String? = null
     ): AuthenticationRequest {
         return tokenExchange(subjectTokenType, subjectToken, organization)
+            .addValidator(CustomTokenExchangeValidator())
     }
 
     /**

auth0/src/main/java/com/auth0/android/request/AuthenticationRequest.kt

@@ -2,7 +2,6 @@ package com.auth0.android.request
 
 import com.auth0.android.Auth0
 import com.auth0.android.authentication.AuthenticationException
-import com.auth0.android.callback.Callback
 import com.auth0.android.result.Credentials
 
 /**
@@ -74,4 +73,15 @@ public interface AuthenticationRequest : Request<Credentials, AuthenticationExce
      * @return the current builder instance
      */
     public fun withIdTokenVerificationIssuer(issuer: String): AuthenticationRequest
+
+    /**
+     * Adds a validator to be executed before the request is sent.
+     * Multiple validators can be added and will be executed in order.
+     *
+     * @param validator the validator to add
+     * @return itself
+     */
+    override fun addValidator(validator: RequestValidator): AuthenticationRequest {
+        return this
+    }
 }

auth0/src/main/java/com/auth0/android/request/Request.kt

@@ -76,4 +76,15 @@ public interface Request<T, U : Auth0Exception> {
      * @return itself
      */
     public fun addHeader(name: String, value: String): Request<T, U>
+
+    /**
+     * Adds a validator to be executed before the request is sent.
+     * Multiple validators can be added and will be executed in order.
+     *
+     * @param validator the validator to add
+     * @return itself
+     */
+    public fun addValidator(validator: RequestValidator): Request<T, U> {
+        return this
+    }
 }

auth0/src/main/java/com/auth0/android/request/RequestValidator.kt

@@ -0,0 +1,18 @@
+package com.auth0.android.request
+
+import com.auth0.android.Auth0Exception
+
+/**
+ * Interface for validating request parameters before execution.
+ * Validators are invoked before the network request is made.
+ */
+public interface RequestValidator {
+
+    /**
+     * Validates the request options and parameters.
+     * @param options the request options to validate
+     * @throws Auth0Exception if validation fails
+     */
+    @Throws(Auth0Exception::class)
+    public fun validate(options: RequestOptions)
+}

auth0/src/main/java/com/auth0/android/request/SignUpRequest.kt

@@ -91,6 +91,11 @@ public class SignUpRequest
         return this
     }
 
+    override fun addValidator(validator: RequestValidator): AuthenticationRequest {
+        authenticationRequest.addValidator(validator)
+        return this
+    }
+
     override fun withIdTokenVerificationLeeway(leeway: Int): SignUpRequest {
         authenticationRequest.withIdTokenVerificationLeeway(leeway)
         return this

auth0/src/main/java/com/auth0/android/request/internal/BaseAuthenticationRequest.kt

@@ -7,11 +7,16 @@ import com.auth0.android.Auth0Exception
 import com.auth0.android.authentication.AuthenticationException
 import com.auth0.android.authentication.ParameterBuilder
 import com.auth0.android.callback.Callback
-import com.auth0.android.provider.*
+import com.auth0.android.provider.IdTokenMissingException
+import com.auth0.android.provider.IdTokenVerificationOptions
+import com.auth0.android.provider.IdTokenVerifier
+import com.auth0.android.provider.TokenValidationException
+import com.auth0.android.provider.UnexpectedIdTokenException
 import com.auth0.android.request.AuthenticationRequest
 import com.auth0.android.request.Request
+import com.auth0.android.request.RequestValidator
 import com.auth0.android.result.Credentials
-import java.util.*
+import java.util.Date
 
 internal open class BaseAuthenticationRequest(
     private val request: Request<Credentials, AuthenticationException>,
@@ -97,6 +102,11 @@ internal open class BaseAuthenticationRequest(
         return this
     }
 
+    override fun addValidator(validator: RequestValidator): AuthenticationRequest {
+        request.addValidator(validator)
+        return this
+    }
+
     override fun validateClaims(): AuthenticationRequest {
         this.validateClaims = true
         return this

auth0/src/main/java/com/auth0/android/request/internal/BaseRequest.kt

@@ -12,6 +12,7 @@ import com.auth0.android.request.JsonAdapter
 import com.auth0.android.request.NetworkingClient
 import com.auth0.android.request.Request
 import com.auth0.android.request.RequestOptions
+import com.auth0.android.request.RequestValidator
 import com.auth0.android.request.ServerResponse
 import kotlinx.coroutines.CoroutineDispatcher
 import kotlinx.coroutines.Dispatchers
@@ -40,6 +41,8 @@ internal open class BaseRequest<T, U : Auth0Exception>(
 
     private val options: RequestOptions = RequestOptions(method)
 
+    private val validators = mutableListOf<RequestValidator>()
+
     override fun addHeader(name: String, value: String): Request<T, U> {
         options.headers[name] = value
         return this
@@ -70,6 +73,11 @@ internal open class BaseRequest<T, U : Auth0Exception>(
         return this
     }
 
+    override fun addValidator(validator: RequestValidator): Request<T, U> {
+        validators.add(validator)
+        return this
+    }
+
     /**
      * Runs asynchronously and executes the network request, without blocking the current thread.
      * The result is parsed into a <T> value and posted in the callback's onSuccess method or a <U>
@@ -126,6 +134,7 @@ internal open class BaseRequest<T, U : Auth0Exception>(
      */
     @kotlin.jvm.Throws(Auth0Exception::class)
     override fun execute(): T {
+        runClientValidation()
         val response: ServerResponse
         try {
             if (dPoP?.shouldGenerateProof(url, options.parameters) == true) {
@@ -176,4 +185,10 @@ internal open class BaseRequest<T, U : Auth0Exception>(
         }
     }
 
+    private fun runClientValidation() {
+        validators.forEach { validator ->
+            validator.validate(options)
+        }
+    }
+
 }

auth0/src/main/java/com/auth0/android/request/internal/validator/CustomTokenExchangeValidator.kt

@@ -0,0 +1,52 @@
+package com.auth0.android.request.internal.validator
+
+import com.auth0.android.authentication.AuthenticationException
+import com.auth0.android.request.RequestOptions
+import com.auth0.android.request.RequestValidator
+import java.net.URI
+
+/**
+ * Client side validation for custom token exchange
+ */
+public class CustomTokenExchangeValidator : RequestValidator {
+
+    private val reservedNameSpace = listOf(
+        "http://auth0.com",
+        "https://auth0.com",
+        "http://okta.com",
+        "https://okta.com",
+        "urn:ietf",
+        "urn:auth0",
+        "urn:okta"
+    )
+
+    override fun validate(options: RequestOptions) {
+        val subjectTokenType = options.parameters["subject_token_type"] as String
+
+        // Check if it's a reserved namespace
+        if (reservedNameSpace.contains(subjectTokenType)) {
+            throw AuthenticationException(
+                "Invalid URI", IllegalArgumentException(
+                    "The passed URI is a reserved namespace and cannot be used"
+                )
+            )
+        }
+
+        // If it starts with http:// or https://, validate it as a URI
+        if (subjectTokenType.startsWith(
+                "http://",
+                ignoreCase = true
+            ) || subjectTokenType.startsWith("https://", ignoreCase = true)
+        ) {
+            runCatching {
+                URI(subjectTokenType)
+            }.onFailure { error ->
+                throw AuthenticationException(
+                    "Invalid URI", IllegalArgumentException(
+                        "The subject_token_type is not a valid URI: ${error.message}"
+                    )
+                )
+            }
+        }
+    }
+}