From 668c53f012710c72c586343adb054da562a84d46 Mon Sep 17 00:00:00 2001 From: Martin Auer Date: Tue, 30 Jul 2024 13:51:19 +0200 Subject: [PATCH] fix: ensure correct token_type in response --- packages/client/lib/AccessTokenClient.ts | 8 +++++++- packages/client/lib/AccessTokenClientV1_0_11.ts | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/client/lib/AccessTokenClient.ts b/packages/client/lib/AccessTokenClient.ts index 89f72030..837b8199 100644 --- a/packages/client/lib/AccessTokenClient.ts +++ b/packages/client/lib/AccessTokenClient.ts @@ -95,7 +95,13 @@ export class AccessTokenClient { if (createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0) { dPoP = createDPoPOpts ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL)) : undefined; } - return this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dPoP } } : undefined); + const response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dPoP } } : undefined); + + if (response.successBody && createDPoPOpts && createDPoPOpts && response.successBody.token_type !== 'DPoP') { + throw new Error('Invalid token type returned. Expected DPoP. Received: ' + response.successBody.token_type); + } + + return response; } public async createAccessTokenRequest(opts: Omit): Promise { diff --git a/packages/client/lib/AccessTokenClientV1_0_11.ts b/packages/client/lib/AccessTokenClientV1_0_11.ts index e795489b..9feffe13 100644 --- a/packages/client/lib/AccessTokenClientV1_0_11.ts +++ b/packages/client/lib/AccessTokenClientV1_0_11.ts @@ -100,7 +100,13 @@ export class AccessTokenClientV1_0_11 { dPoP = createDPoPOpts ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL)) : undefined; } - return this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dPoP } } : undefined); + const response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dPoP } } : undefined); + + if (response.successBody && createDPoPOpts && createDPoPOpts && response.successBody.token_type !== 'DPoP') { + throw new Error('Invalid token type returned. Expected DPoP. Received: ' + response.successBody.token_type); + } + + return response; } public async createAccessTokenRequest(opts: Omit): Promise {