fix: validate ciba notification tokens

Author: panva

lib/actions/authorization/ciba_required.js

@@ -1,13 +1,30 @@
 import presence from '../../helpers/validate_presence.js';
+import { InvalidRequest } from '../../helpers/errors.js';
 
-export default function oidcRequired(ctx, next) {
+const CLIENT_NOTIFICATION_TOKEN = /^[A-Za-z0-9._~+\x2F-]+=*$/u;
+
+export default function cibaRequired(ctx, next) {
   const required = new Set(['scope']);
+  const callbackMode = ctx.oidc.client.backchannelTokenDeliveryMode !== 'poll';
 
-  if (ctx.oidc.client.backchannelTokenDeliveryMode !== 'poll') {
+  if (callbackMode) {
     required.add('client_notification_token');
   }
 
   presence(ctx, ...required);
 
+  if (callbackMode) {
+    const { client_notification_token: clientNotificationToken } = ctx.oidc.params;
+    if (!CLIENT_NOTIFICATION_TOKEN.test(clientNotificationToken)) {
+      throw new InvalidRequest('client_notification_token must be a valid Bearer token');
+    }
+
+    if (clientNotificationToken.length > 1024) {
+      throw new InvalidRequest('client_notification_token must not exceed 1024 characters');
+    }
+  } else {
+    ctx.oidc.params.client_notification_token = undefined;
+  }
+
   return next();
 }

test/ciba/ciba.test.js

@@ -202,6 +202,24 @@ describe('features.ciba', () => {
         expect(verifyUserCode[2]).to.equal('1234');
       });
 
+      it('ignores client_notification_token when using poll', async function () {
+        const [, [, request]] = await Promise.all([
+          this.agent.post(route)
+            .send({
+              scope: 'openid',
+              login_hint: 'accountId',
+              client_id: 'client',
+              client_notification_token: 'foo bar',
+            })
+            .type('form')
+            .expect(200)
+            .expect('content-type', /application\/json/),
+          once(emitter, 'triggerAuthenticationDevice'),
+        ]);
+
+        expect(request.params).not.to.have.property('client_notification_token');
+      });
+
       it('requested_expiry', async function () {
         await this.agent.post(route)
           .send({
@@ -485,6 +503,62 @@ describe('features.ciba', () => {
             });
         });
 
+        it('accepts the client_notification_token Bearer token syntax when using ping', async function () {
+          return this.agent.post(route)
+            .send({
+              client_id: 'client-ping',
+              scope: 'openid',
+              login_hint: 'accountId',
+              client_notification_token: 'abc-._~+/==',
+            })
+            .type('form')
+            .expect(200)
+            .expect('content-type', /application\/json/);
+        });
+
+        it('validates the client_notification_token syntax when using ping', async function () {
+          const values = [
+            'foo bar',
+            'foo:bar',
+            'foo=bar',
+            'foo,bar',
+          ];
+
+          for (const client_notification_token of values) {
+            await this.agent.post(route)
+              .send({
+                client_id: 'client-ping',
+                scope: 'openid',
+                login_hint: 'accountId',
+                client_notification_token,
+              })
+              .type('form')
+              .expect(400)
+              .expect('content-type', /application\/json/)
+              .expect({
+                error: 'invalid_request',
+                error_description: 'client_notification_token must be a valid Bearer token',
+              });
+          }
+        });
+
+        it('validates the client_notification_token length when using ping', async function () {
+          return this.agent.post(route)
+            .send({
+              client_id: 'client-ping',
+              scope: 'openid',
+              login_hint: 'accountId',
+              client_notification_token: 'a'.repeat(1025),
+            })
+            .type('form')
+            .expect(400)
+            .expect('content-type', /application\/json/)
+            .expect({
+              error: 'invalid_request',
+              error_description: 'client_notification_token must not exceed 1024 characters',
+            });
+        });
+
         it('requires the scope param with openid', async function () {
           const spy = sinon.spy();
           this.provider.once('backchannel_authentication.error', spy);