feat: Make sure redirect uri equals client_id if it is url #1983

TalaoDAO · Oct 5, 2023 · 01c6336 · 01c6336
1 parent baec321
commit 01c6336
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 32 deletions.
diff --git a/lib/app/shared/helper_functions/helper_functions.dart b/lib/app/shared/helper_functions/helper_functions.dart
@@ -720,9 +720,7 @@ Future<String> getHost({
 
       return '';
     } else {
-      final String? redirectUri = getRedirectUri(uri);
-      if (redirectUri == null) return '';
-      return Uri.parse(redirectUri).host;
+      return '';
     }
   }
 }
@@ -773,25 +771,6 @@ bool isURL(String input) {
   return uri != null && uri.hasScheme;
 }
 
-String? getRedirectUri(Uri uri) {
-  final clientId = uri.queryParameters['client_id'];
-  final redirectUri = uri.queryParameters['redirect_uri'];
-
-  /// if redirectUri is not provided and client_id is url then
-  /// redirectUri = client_id
-  if (redirectUri == null) {
-    if (clientId == null) return null;
-    final isUrl = isURL(clientId);
-    if (isUrl) {
-      return clientId;
-    } else {
-      return null;
-    }
-  } else {
-    return redirectUri;
-  }
-}
-
 int getIndexValue({required bool isEBSIV3}) {
   if (isEBSIV3) {
     return 3;

diff --git a/lib/dashboard/qr_code/qr_code_scan/cubit/qr_code_scan_cubit.dart b/lib/dashboard/qr_code/qr_code_scan/cubit/qr_code_scan_cubit.dart
@@ -605,7 +605,7 @@ class QRCodeScanCubit extends Cubit<QRCodeScanState> {
       }
     }
 
-    final scope = uri.queryParameters['scope'];
+    final scope = state.uri!.queryParameters['scope'];
     if (scope == null || scope != 'openid') {
       throw ResponseMessage(
         data: {
@@ -615,23 +615,24 @@ class QRCodeScanCubit extends Cubit<QRCodeScanState> {
       );
     }
 
+    final redirectUri = state.uri!.queryParameters['redirect_uri'];
+    final clientId = state.uri!.queryParameters['client_id'];
+    final isUrl = isURL(clientId.toString());
+
     log.i('responseType - $responseType');
     if (responseType == 'id_token') {
       /// verifier side (siopv2)
 
-      final String? redirectUri = getRedirectUri(state.uri!);
-
       if (redirectUri == null) {
         throw ResponseMessage(
           data: {
-            'error': 'unsupported_response_type',
+            'error': 'invalid_request',
             'error_description': 'The redirect_uri is missing.',
           },
         );
       }
 
-      final clientId = uri.queryParameters['client_id'];
-      if (redirectUri != clientId) {
+      if (isUrl && redirectUri != clientId) {
         throw ResponseMessage(
           data: {
             'error': 'invalid_request',
@@ -668,7 +669,6 @@ class QRCodeScanCubit extends Cubit<QRCodeScanState> {
         );
       }
       if (responseMode == 'direct_post') {
-        final redirectUri = state.uri!.queryParameters['redirect_uri'];
         final responseUri = state.uri!.queryParameters['response_uri'];
         final bothPresent = redirectUri != null && responseUri != null;
         final bothAbsent = redirectUri == null && responseUri == null;
@@ -683,6 +683,16 @@ class QRCodeScanCubit extends Cubit<QRCodeScanState> {
           );
         }
       }
+
+      if (redirectUri != null && isUrl && redirectUri != clientId) {
+        throw ResponseMessage(
+          data: {
+            'error': 'invalid_request',
+            'error_description': 'The client_id must be equal to redirect_uri.',
+          },
+        );
+      }
+
       await launchOIDC4VPAndSIOPV2Flow(keys);
     } else {
       throw ResponseMessage(

diff --git a/lib/scan/cubit/scan_cubit.dart b/lib/scan/cubit/scan_cubit.dart
@@ -545,8 +545,9 @@ class ScanCubit extends Cubit<ScanState> {
     await Future<void>.delayed(const Duration(milliseconds: 500));
 
     try {
-      final String? redirectUri = getRedirectUri(uri);
-      if (redirectUri == null) throw Exception();
+      final String responseOrRedirectUri =
+          uri.queryParameters['redirect_uri'] ??
+              uri.queryParameters['response_uri']!;
 
       final String idToken = await createIdToken(
         credentialsToBePresented: credentialsToBePresented!,
@@ -586,7 +587,7 @@ class ScanCubit extends Cubit<ScanState> {
       final formData = FormData.fromMap(responseData);
 
       final result = await client.post(
-        redirectUri,
+        responseOrRedirectUri,
         data: formData,
         headers: <String, dynamic>{
           'Content-Type': 'application/x-www-form-urlencoded',