feat: Add option to disable url sanitation

DanielRivers · DanielRivers · commit be656bfc5b97 · 2025-02-18T12:08:23.000Z
diff --git a/lib/utils/generateAuthUrl.test.ts b/lib/utils/generateAuthUrl.test.ts
@@ -197,4 +197,35 @@ describe("generateAuthUrl", () => {
 
     expect(state).toEqual(testState);
   });
+
+  it("if disableUrlSanitization is set, should leave the redirect the URL alone", async () => {
+    const domain = "https://auth.example.com";
+    const options: LoginOptions = {
+      clientId: "client123",
+      scope: [Scopes.openid, Scopes.profile, Scopes.offline_access],
+      redirectURL: "https://example2.com/",
+      prompt: PromptTypes.create,
+    };
+    const expectedUrl =
+      "https://auth.example.com/oauth2/auth?client_id=client123&response_type=code&redirect_uri=https%3A%2F%2Fexample2.com%2F&audience=&scope=openid+profile+offline&prompt=create&code_challenge_method=S256";
+
+    const result = await generateAuthUrl(
+      domain,
+      IssuerRouteTypes.login,
+      options,
+      { disableUrlSanitization: true }
+    );
+    const nonce = result.url.searchParams.get("nonce");
+    expect(nonce).not.toBeNull();
+    expect(nonce!.length).toBe(16);
+    const state = result.url.searchParams.get("state");
+    expect(state).not.toBeNull();
+    expect(state!.length).toBe(32);
+    const codeChallenge = result.url.searchParams.get("code_challenge");
+    expect(codeChallenge!.length).toBeGreaterThanOrEqual(27);
+    result.url.searchParams.delete("code_challenge");
+    result.url.searchParams.delete("nonce");
+    result.url.searchParams.delete("state");
+    expect(result.url.toString()).toBe(expectedUrl);
+  });
 });
diff --git a/lib/utils/generateAuthUrl.ts b/lib/utils/generateAuthUrl.ts
@@ -3,6 +3,10 @@ import { IssuerRouteTypes, LoginOptions, PromptTypes } from "../types";
 import { generateRandomString } from "./generateRandomString";
 import { mapLoginMethodParamsForUrl } from "./mapLoginMethodParamsForUrl";
 
+interface generateAuthUrlConfig {
+  disableUrlSanitization: boolean;
+}
+
 /**
  *
  * @param options
@@ -12,7 +16,8 @@ import { mapLoginMethodParamsForUrl } from "./mapLoginMethodParamsForUrl";
 export const generateAuthUrl = async (
   domain: string,
   type: IssuerRouteTypes = IssuerRouteTypes.login,
-  options: LoginOptions,
+  loginOptions: LoginOptions,
+  config?: generateAuthUrlConfig,
 ): Promise<{
   url: URL;
   state: string;
@@ -23,30 +28,30 @@ export const generateAuthUrl = async (
   const authPath = `${domain}/oauth2/auth`;
   const activeStorage = getInsecureStorage();
   const searchParams: Record<string, string> = {
-    client_id: options.clientId,
-    response_type: options.responseType || "code",
-    ...mapLoginMethodParamsForUrl(options),
+    client_id: loginOptions.clientId,
+    response_type: loginOptions.responseType || "code",
+    ...mapLoginMethodParamsForUrl(loginOptions, config?.disableUrlSanitization),
   };
 
-  if (!options.state) {
-    options.state = generateRandomString(32);
+  if (!loginOptions.state) {
+    loginOptions.state = generateRandomString(32);
   }
   if (activeStorage) {
-    activeStorage.setSessionItem(StorageKeys.state, options.state);
+    activeStorage.setSessionItem(StorageKeys.state, loginOptions.state);
   }
-  searchParams["state"] = options.state;
+  searchParams["state"] = loginOptions.state;
 
-  if (!options.nonce) {
-    options.nonce = generateRandomString(16);
+  if (!loginOptions.nonce) {
+    loginOptions.nonce = generateRandomString(16);
   }
-  searchParams["nonce"] = options.nonce;
+  searchParams["nonce"] = loginOptions.nonce;
   if (activeStorage) {
-    activeStorage.setSessionItem(StorageKeys.nonce, options.nonce);
+    activeStorage.setSessionItem(StorageKeys.nonce, loginOptions.nonce);
   }
 
   let returnCodeVerifier = "";
-  if (options.codeChallenge) {
-    searchParams["code_challenge"] = options.codeChallenge;
+  if (loginOptions.codeChallenge) {
+    searchParams["code_challenge"] = loginOptions.codeChallenge;
   } else {
     const { codeVerifier, codeChallenge } = await generatePKCEPair();
     returnCodeVerifier = codeVerifier;
@@ -57,11 +62,11 @@ export const generateAuthUrl = async (
   }
   searchParams["code_challenge_method"] = "S256";
 
-  if (options.codeChallengeMethod) {
-    searchParams["code_challenge_method"] = options.codeChallengeMethod;
+  if (loginOptions.codeChallengeMethod) {
+    searchParams["code_challenge_method"] = loginOptions.codeChallengeMethod;
   }
 
-  if (!options.prompt && type === IssuerRouteTypes.register) {
+  if (!loginOptions.prompt && type === IssuerRouteTypes.register) {
     searchParams["prompt"] = PromptTypes.create;
   }
 
diff --git a/lib/utils/mapLoginMethodParamsForUrl.ts b/lib/utils/mapLoginMethodParamsForUrl.ts
@@ -3,13 +3,14 @@ import { sanitizeUrl } from "./sanitizeUrl";
 
 export const mapLoginMethodParamsForUrl = (
   options: Partial<LoginMethodParams>,
+  disableUrlSanitization: boolean = false,
 ): Record<string, string> => {
   const translate: Record<string, string | undefined> = {
     login_hint: options.loginHint,
     is_create_org: options.isCreateOrg?.toString(),
     connection_id: options.connectionId,
     redirect_uri: options.redirectURL
-      ? sanitizeUrl(options.redirectURL)
+      ? disableUrlSanitization ? options.redirectURL : sanitizeUrl(options.redirectURL)
       : undefined,
     audience: options.audience || "",
     scope: options.scope?.join(" ") || "email profile openid offline",
