Merge pull request #332 from axa-group/ntk/fix_331

Prevent well known endpoints from containing double slashes

Author: poveden

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [7.2.1](https://github.com/axa-group/oauth2-mock-server/compare/v7.2.0...v7.2.1) — 2025-04-30
+
+### Fixed
+
+- Fix paths of well known endpoints when issuer ends with a forward slash (reported in [#331](https://github.com/axa-group/oauth2-mock-server/issues/331) by [kikisaeba](https://github.com/kikisaeba))
+
+### Changed
+
+- Update dependencies
+
 ## [7.2.0](https://github.com/axa-group/oauth2-mock-server/compare/v7.1.2...v7.2.0) — 2024-11-25
 
 ### Added

package.json

@@ -1,17 +1,21 @@
 {
   "name": "oauth2-mock-server",
-  "version": "7.2.0",
+  "version": "7.2.1",
   "description": "OAuth 2 mock server",
+  "type": "commonjs",
   "keywords": [
     "oauth",
     "oauth2",
     "oauth 2",
     "mock",
+    "fake",
+    "stub",
     "server",
     "cli",
     "jwt",
     "oidc",
-    "openid connect"
+    "openid",
+    "connect"
   ],
   "author": {
     "name": "Jorge Poveda",
@@ -24,7 +28,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/axa-group/oauth2-mock-server.git"
+    "url": "git+https://github.com/axa-group/oauth2-mock-server.git"
   },
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -51,30 +55,30 @@
   "dependencies": {
     "basic-auth": "^2.0.1",
     "cors": "^2.8.5",
-    "express": "^4.21.1",
+    "express": "^4.21.2",
     "is-plain-object": "^5.0.0",
-    "jose": "^5.9.6"
+    "jose": "^5.10.0"
   },
   "devDependencies": {
     "@types/basic-auth": "^1.1.6",
     "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
-    "@types/node": "^18.19.64",
-    "@types/supertest": "^6.0.2",
-    "@typescript-eslint/eslint-plugin": "^8.15.0",
-    "@typescript-eslint/parser": "^8.15.0",
-    "@vitest/coverage-v8": "^2.1.5",
-    "@vitest/eslint-plugin": "^1.1.10",
+    "@types/node": "^18.19.87",
+    "@types/supertest": "^6.0.3",
+    "@typescript-eslint/eslint-plugin": "^8.31.1",
+    "@typescript-eslint/parser": "^8.31.1",
+    "@vitest/coverage-v8": "^3.1.2",
+    "@vitest/eslint-plugin": "^1.1.43",
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-import": "^2.29.1",
-    "eslint-plugin-jsdoc": "^50.5.0",
-    "eslint-plugin-prettier": "^5.2.1",
-    "prettier": "^3.1.1",
+    "eslint-plugin-jsdoc": "^50.6.11",
+    "eslint-plugin-prettier": "^5.2.6",
+    "prettier": "^3.5.3",
     "rimraf": "^5.0.10",
-    "supertest": "^7.0.0",
-    "typescript": "^5.3.3",
-    "vitest": "^2.1.5"
+    "supertest": "^7.1.0",
+    "typescript": "^5.8.3",
+    "vitest": "^3.1.2"
   },
   "resolutions": {
     "@types/node": "^18"

src/lib/oauth2-service.ts

@@ -158,13 +158,15 @@ export class OAuth2Service extends EventEmitter {
   private openidConfigurationHandler: RequestHandler = (_req, res) => {
     assertIsString(this.issuer.url, 'Unknown issuer url.');
 
+    const normalizedIssuerUrl = trimPotentialTrailingSlash(this.issuer.url);
+
     const openidConfig = {
       issuer: this.issuer.url,
-      token_endpoint: `${this.issuer.url}${this.#endpoints.token}`,
-      authorization_endpoint: `${this.issuer.url}${this.#endpoints.authorize}`,
-      userinfo_endpoint: `${this.issuer.url}${this.#endpoints.userinfo}`,
+      token_endpoint: `${normalizedIssuerUrl}${this.#endpoints.token}`,
+      authorization_endpoint: `${normalizedIssuerUrl}${this.#endpoints.authorize}`,
+      userinfo_endpoint: `${normalizedIssuerUrl}${this.#endpoints.userinfo}`,
       token_endpoint_auth_methods_supported: ['none'],
-      jwks_uri: `${this.issuer.url}${this.#endpoints.jwks}`,
+      jwks_uri: `${normalizedIssuerUrl}${this.#endpoints.jwks}`,
       response_types_supported: ['code'],
       grant_types_supported: [
         'client_credentials',
@@ -174,10 +176,10 @@ export class OAuth2Service extends EventEmitter {
       token_endpoint_auth_signing_alg_values_supported: ['RS256'],
       response_modes_supported: ['query'],
       id_token_signing_alg_values_supported: ['RS256'],
-      revocation_endpoint: `${this.issuer.url}${this.#endpoints.revoke}`,
+      revocation_endpoint: `${normalizedIssuerUrl}${this.#endpoints.revoke}`,
       subject_types_supported: ['public'],
-      end_session_endpoint: `${this.issuer.url}${this.#endpoints.endSession}`,
-      introspection_endpoint: `${this.issuer.url}${this.#endpoints.introspect}`,
+      end_session_endpoint: `${normalizedIssuerUrl}${this.#endpoints.endSession}`,
+      introspection_endpoint: `${normalizedIssuerUrl}${this.#endpoints.introspect}`,
       code_challenge_methods_supported: supportedPkceAlgorithms,
     };
 
@@ -192,10 +194,7 @@ export class OAuth2Service extends EventEmitter {
     try {
       const tokenTtl = defaultTokenTtl;
 
-      res.set({
-        'Cache-Control': 'no-store',
-        Pragma: 'no-cache',
-      });
+      res.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' });
 
       let xfn: ScopesOrTransform | undefined;
 
@@ -207,9 +206,7 @@ export class OAuth2Service extends EventEmitter {
           const verifier = req.body['code_verifier'];
           const savedCodeChallenge = this.#codeChallenges.get(code);
           if (savedCodeChallenge === undefined) {
-            throw new AssertionError({
-              message: 'code_challenge required',
-            });
+            throw new AssertionError({ message: 'code_challenge required' });
           }
           this.#codeChallenges.delete(code);
           if (!isValidPkceCodeVerifier(verifier)) {
@@ -256,27 +253,17 @@ export class OAuth2Service extends EventEmitter {
         case 'authorization_code':
           scope = scope ?? 'dummy';
           xfn = (_header, payload) => {
-            Object.assign(payload, {
-              sub: 'johndoe',
-              amr: ['pwd'],
-              scope,
-            });
+            Object.assign(payload, { sub: 'johndoe', amr: ['pwd'], scope });
           };
           break;
         case 'refresh_token':
           scope = scope ?? 'dummy';
           xfn = (_header, payload) => {
-            Object.assign(payload, {
-              sub: 'johndoe',
-              amr: ['pwd'],
-              scope,
-            });
+            Object.assign(payload, { sub: 'johndoe', amr: ['pwd'], scope });
           };
           break;
         default:
-          return res.status(400).json({
-            error: 'invalid_grant',
-          });
+          return res.status(400).json({ error: 'invalid_grant' });
       }
 
       const token = await this.buildToken(req, tokenTtl, xfn);
@@ -292,14 +279,9 @@ export class OAuth2Service extends EventEmitter {
         const clientId = credentials ? credentials.name : req.body.client_id;
 
         const xfn: JwtTransform = (_header, payload) => {
-          Object.assign(payload, {
-            sub: 'johndoe',
-            aud: clientId,
-          });
+          Object.assign(payload, { sub: 'johndoe', aud: clientId });
           if (reqBody.code !== undefined && this.#nonce[reqBody.code]) {
-            Object.assign(payload, {
-              nonce: this.#nonce[reqBody.code],
-            });
+            Object.assign(payload, { nonce: this.#nonce[reqBody.code] });
             delete this.#nonce[reqBody.code];
           }
         };
@@ -308,10 +290,7 @@ export class OAuth2Service extends EventEmitter {
         body['refresh_token'] = randomUUID();
       }
 
-      const tokenEndpointResponse: MutableResponse = {
-        body,
-        statusCode: 200,
-      };
+      const tokenEndpointResponse: MutableResponse = { body, statusCode: 200 };
 
       /**
        * Before token response event.
@@ -417,9 +396,7 @@ export class OAuth2Service extends EventEmitter {
 
   private userInfoHandler: RequestHandler = (req, res) => {
     const userInfoResponse: MutableResponse = {
-      body: {
-        sub: 'johndoe',
-      },
+      body: { sub: 'johndoe' },
       statusCode: 200,
     };
 
@@ -435,9 +412,7 @@ export class OAuth2Service extends EventEmitter {
   };
 
   private revokeHandler: RequestHandler = (req, res) => {
-    const revokeResponse: StatusCodeMutableResponse = {
-      statusCode: 200,
-    };
+    const revokeResponse: StatusCodeMutableResponse = { statusCode: 200 };
 
     /**
      * Before revoke event.
@@ -473,9 +448,7 @@ export class OAuth2Service extends EventEmitter {
 
   private introspectHandler: RequestHandler = (req, res) => {
     const introspectResponse: MutableResponse = {
-      body: {
-        active: true,
-      },
+      body: { active: true },
       statusCode: 200,
     };
 
@@ -492,3 +465,7 @@ export class OAuth2Service extends EventEmitter {
       .json(introspectResponse.body);
   };
 }
+
+const trimPotentialTrailingSlash = (url: string): string => {
+  return url.endsWith('/') ? url.slice(0, -1) : url;
+};

test/oauth2-service.test.ts

@@ -15,13 +15,18 @@ import {
 import * as testKeys from './keys';
 import { verifyTokenWithKey } from './lib/test_helpers';
 
-describe('OAuth 2 service', () => {
+describe.each([
+  'https://issuer.example.com',
+   'https://issuer.example.com/'
+  ])
+  ('OAuth 2 service with issuer %s', (issuerUrl: string) => {
+
   let issuer: OAuth2Issuer;
   let service: OAuth2Service;
 
   beforeAll(async () => {
     issuer = new OAuth2Issuer();
-    issuer.url = 'https://issuer.example.com';
+    issuer.url = issuerUrl;
     await issuer.keys.add(testKeys.getParsed('test-rs256-key.json'));
 
     service = new OAuth2Service(issuer);
@@ -42,15 +47,17 @@ describe('OAuth 2 service', () => {
     const res = await request(customService.requestHandler)
       .get('/custom-well-known')
       .expect(200);
-    const { url } = customService.issuer;
+
+    const endpointsPrefix = wellKnownEndpointsPrefixFrom(customService.issuer);
+
     expect(res.body).toMatchObject({
-      jwks_uri: `${url!}/custom-jwks`,
-      token_endpoint: `${url!}/custom-token`,
-      authorization_endpoint: `${url!}/custom-authorize`,
-      userinfo_endpoint: `${url!}/custom-userinfo`,
-      revocation_endpoint: `${url!}/revoke`,
-      end_session_endpoint: `${url!}/endsession`,
-      introspection_endpoint: `${url!}/custom-introspect`,
+      jwks_uri: `${endpointsPrefix}/custom-jwks`,
+      token_endpoint: `${endpointsPrefix}/custom-token`,
+      authorization_endpoint: `${endpointsPrefix}/custom-authorize`,
+      userinfo_endpoint: `${endpointsPrefix}/custom-userinfo`,
+      revocation_endpoint: `${endpointsPrefix}/revoke`,
+      end_session_endpoint: `${endpointsPrefix}/endsession`,
+      introspection_endpoint: `${endpointsPrefix}/custom-introspect`,
     });
 
     const getTestCases: [string, number, string?][] = [
@@ -86,32 +93,40 @@ describe('OAuth 2 service', () => {
     }
   });
 
+  const wellKnownEndpointsPrefixFrom = (issuer: OAuth2Issuer) => {
+    const { url } = issuer;
+    expect(url).not.toBeNull();
+
+    return url!.endsWith('/') ? url!.slice(0, -1) : url;
+  };
+
   it('should expose an OpenID configuration endpoint', async () => {
     const res = await request(service.requestHandler)
       .get('/.well-known/openid-configuration')
       .expect(200);
 
-    const { url } = service.issuer;
-    expect(url).not.toBeNull();
+    const endpointsPrefix = wellKnownEndpointsPrefixFrom(service.issuer);
 
     expect(res.body).toEqual({
-      issuer: url,
-      token_endpoint: `${url!}/token`,
-      authorization_endpoint: `${url!}/authorize`,
-      userinfo_endpoint: `${url!}/userinfo`,
+      issuer: service.issuer.url,
+      token_endpoint: `${endpointsPrefix}/token`,
+      authorization_endpoint: `${endpointsPrefix}/authorize`,
+      userinfo_endpoint: `${endpointsPrefix}/userinfo`,
       token_endpoint_auth_methods_supported: ['none'],
-      jwks_uri: `${url!}/jwks`,
+      jwks_uri: `${endpointsPrefix}/jwks`,
       response_types_supported: ['code'],
       grant_types_supported: ['client_credentials', 'authorization_code', 'password'],
       token_endpoint_auth_signing_alg_values_supported: ['RS256'],
       response_modes_supported: ['query'],
       id_token_signing_alg_values_supported: ['RS256'],
-      revocation_endpoint: `${url!}/revoke`,
+      revocation_endpoint: `${endpointsPrefix}/revoke`,
       subject_types_supported: ['public'],
-      introspection_endpoint: `${url!}/introspect`,
+      introspection_endpoint: `${endpointsPrefix}/introspect`,
       code_challenge_methods_supported: ['plain', 'S256'],
-      end_session_endpoint: `${url!}/endsession`,
+      end_session_endpoint: `${endpointsPrefix}/endsession`,
     });
+
+    expect(JSON.stringify(res.body)).not.toMatch(/(?<!https:|http:)\/\//);
   });
 
   it('should expose an JWKS endpoint', async () => {