OAuth client validation improvements (#4289)

* OAuth client validation improvements

* Remove `isLocalHostname` export

* tidy

Author: matthieusieben

.changeset/afraid-rings-tan.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client-expo": patch
+---
+
+The package now re-exports everything from `@atproto/oauth-client`, avoiding the need to explicitly depend on it.

.changeset/honest-comics-search.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Enforce stronger validation of `privateUseUriSchema`

.changeset/lucky-lies-float.md

@@ -0,0 +1,9 @@
+---
+"@atproto/oauth-types": minor
+---
+
+Remove exported `oauthHttpsRedirectURISchema` and `oauthPrivateUseRedirectURISchema` in favor of `oauthRedirectUriSchema` and `oauthLoopbackClientRedirectUriSchema`, which provide semantically meaningful groupings of redirect URIs based on OAuth client types.
+
+`oauthHttpsRedirectURISchema` can still be accessed using `httpsUriSchema`.
+`oauthPrivateUseRedirectURISchema` can still be accessed using `privateUseUriSchema`.
+

.changeset/soft-ghosts-try.md

@@ -0,0 +1,5 @@
+---
+"@atproto-labs/fetch-node": minor
+---
+
+Remove `isLocalHostname` export

.changeset/tiny-zebras-cough.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": minor
+---
+
+Remove unused `isLoopbackUrl` utility

packages/internal/fetch-node/src/unicast.ts

@@ -229,7 +229,7 @@ export function unicastLookup(
  * @returns whether the hostname is a name typically used for on locale area networks.
  * @note **DO NOT** use for security reasons. Only as heuristic.
  */
-export function isLocalHostname(hostname: string): boolean {
+function isLocalHostname(hostname: string): boolean {
   const parts = hostname.split('.')
   if (parts.length < 2) return true
 

packages/oauth/oauth-client-expo/src/index.ts

@@ -1,5 +1,7 @@
 import './polyfill'
 
+export * from '@atproto/oauth-client'
+
 export type { ExpoOAuthClientInterface } from './expo-oauth-client-interface'
 export type { ExpoOAuthClientOptions } from './expo-oauth-client-options'
 

packages/oauth/oauth-provider/src/client/client-manager.ts

@@ -5,7 +5,7 @@ import {
   OAuthClientIdLoopback,
   OAuthClientMetadata,
   OAuthClientMetadataInput,
-  isLoopbackHost,
+  isLocalHostname,
   isOAuthClientIdDiscoverable,
   isOAuthClientIdLoopback,
   oauthClientMetadataSchema,
@@ -17,7 +17,6 @@ import {
   fetchJsonZodProcessor,
   fetchOkProcessor,
 } from '@atproto-labs/fetch'
-import { isLocalHostname } from '@atproto-labs/fetch-node'
 import { pipe } from '@atproto-labs/pipe'
 import {
   CachedGetter,
@@ -232,6 +231,10 @@ export class ClientManager {
     clientId: ClientId,
     metadata: OAuthClientMetadata,
   ): OAuthClientMetadata {
+    // @TODO This method should only check for rules that are specific to this
+    // implementation or the ATPROTO specification. All generic validation rules
+    // should be moved to the @atproto/oauth-types package.
+
     if (metadata.jwks && metadata.jwks_uri) {
       throw new InvalidClientMetadataError(
         'jwks_uri and jwks are mutually exclusive',
@@ -604,56 +607,12 @@ export class ClientManager {
         }
 
         case isPrivateUseUriScheme(url): {
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
-          //
-          // > When choosing a URI scheme to associate with the app, apps MUST
-          // > use a URI scheme based on a domain name under their control,
-          // > expressed in reverse order, as recommended by Section 3.8 of
-          // > [RFC7595] for private-use URI schemes.
-
           if (metadata.application_type !== 'native') {
             throw new InvalidRedirectUriError(
               `Private-Use URI Scheme redirect URI are only allowed for native apps`,
             )
           }
 
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
-          //
-          // > In addition to the collision-resistant properties, requiring a
-          // > URI scheme based on a domain name that is under the control of
-          // > the app can help to prove ownership in the event of a dispute
-          // > where two apps claim the same private-use URI scheme (where one
-          // > app is acting maliciously).
-          //
-          // We can't check for ownership here (as there is no concept of
-          // proven ownership in the generic client validation), but we can
-          // check that the domain is a valid domain name.
-
-          const urlDomain = reverseDomain(url.protocol.slice(0, -1))
-
-          if (isLocalHostname(urlDomain)) {
-            throw new InvalidRedirectUriError(
-              `Private-use URI Scheme redirect URI must not be a local hostname`,
-            )
-          }
-
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
-          //
-          // > Following the requirements of Section 3.2 of [RFC3986], as there
-          // > is no naming authority for private-use URI scheme redirects, only
-          // > a single slash ("/") appears after the scheme component.
-          if (
-            url.href.startsWith(`${url.protocol}//`) ||
-            url.username ||
-            url.password ||
-            url.hostname ||
-            url.port
-          ) {
-            throw new InvalidRedirectUriError(
-              `Private-Use URI Scheme must be in the form ${url.protocol}/<path>`,
-            )
-          }
-
           break
         }
 
@@ -700,22 +659,6 @@ export class ClientManager {
       )
     }
 
-    for (const redirectUri of metadata.redirect_uris) {
-      const url = parseRedirectUri(redirectUri)
-
-      if (url.protocol !== 'http:') {
-        throw new InvalidRedirectUriError(
-          `Loopback clients must use HTTP redirect URIs`,
-        )
-      }
-
-      if (!isLoopbackHost(url.hostname)) {
-        throw new InvalidRedirectUriError(
-          `Loopback clients must use loopback redirect URIs`,
-        )
-      }
-    }
-
     return metadata
   }
 
@@ -762,9 +705,19 @@ export class ClientManager {
     }
 
     for (const redirectUri of metadata.redirect_uris) {
+      // @NOTE at this point, all redirect URIs have already been validated by
+      // oauthRedirectUriSchema
+
       const url = parseRedirectUri(redirectUri)
 
       if (isPrivateUseUriScheme(url)) {
+        // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
+        //
+        // > When choosing a URI scheme to associate with the app, apps MUST use
+        // > a URI scheme based on a domain name under their control, expressed
+        // > in reverse order, as recommended by Section 3.8 of [RFC7595] for
+        // > private-use URI schemes.
+
         // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
         //
         // > In addition to the collision-resistant properties, requiring a
@@ -773,11 +726,14 @@ export class ClientManager {
         // > where two apps claim the same private-use URI scheme (where one
         // > app is acting maliciously).
 
-        // https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html
+        // https://atproto.com/specs/oauth
         //
-        // Fully qualified domain name (FQDN) of the client_id, in reverse
-        // order. This could be relaxed to allow same apex domain names, or
-        // parent domains, but for now we require an exact match.
+        // > Any custom scheme must match the client_id hostname in
+        // > reverse-domain order. The URI scheme must be followed by a single
+        // > colon (:) then a single forward slash (/) and then a URI path
+        // > component. For example, an app with client_id
+        // > https://app.example.com/client-metadata.json could have a
+        // > redirect_uri of com.example.app:/callback.
         const protocol = `${reverseDomain(clientIdUrl.hostname)}:`
         if (url.protocol !== protocol) {
           throw new InvalidRedirectUriError(

packages/oauth/oauth-provider/src/client/client-utils.ts

@@ -1,8 +1,8 @@
 import {
   OAuthClientIdDiscoverable,
+  isLocalHostname,
   parseOAuthDiscoverableClientId,
 } from '@atproto/oauth-types'
-import { isLocalHostname } from '@atproto-labs/fetch-node'
 import { InvalidClientIdError } from '../errors/invalid-client-id-error.js'
 import { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js'
 

packages/oauth/oauth-types/src/atproto-loopback-client-id.ts

@@ -12,7 +12,7 @@ import {
 } from './oauth-client-id-loopback.js'
 import {
   OAuthLoopbackRedirectURI,
-  oauthLoopbackRedirectURISchema,
+  oauthLoopbackClientRedirectUriSchema,
 } from './oauth-redirect-uri.js'
 import { arrayEquivalent, asArray } from './util.js'
 
@@ -41,7 +41,10 @@ export function buildAtprotoLoopbackClientId(
         throw new TypeError(`Unexpected empty "redirect_uris" config`)
       }
       for (const uri of redirectUris) {
-        params.append('redirect_uri', oauthLoopbackRedirectURISchema.parse(uri))
+        params.append(
+          'redirect_uri',
+          oauthLoopbackClientRedirectUriSchema.parse(uri),
+        )
       }
     }