curveball · evert · Sep 3, 2024 · Sep 3, 2024
diff --git a/schemas/app-client-edit-form.json b/schemas/app-client-edit-form.json
@@ -0,0 +1,52 @@
+{
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://curveballjs.org/schemas/a12nserver/app-client-edit-form.json",
+  "type": "object",
+  "title": "AppClientEditFormBody",
+  "description": "This is the request body used by the HTML form submission for editing new OAuth2 Clients (credentials)",
+
+  "required": [],
+  "additionalProperties": false,
+
+  "properties": {
+    "allowClientCredentials": {
+      "type": "string",
+      "const": "on",
+      "description": "Can the client can use the 'client_credentials' flow" 
+    },
+    "allowAuthorizationCode": {
+      "type": "string",
+      "const": "on",
+      "description": "Can the client can use the 'authorization_code' flow" 
+    },
+    "allowAuthorizationChallenge": {
+      "type": "string",
+      "const": "on",
+      "description": "Can the client can use the OAuth 2.0 for First Party Applications flow" 
+    },
+    "allowImplicit": {
+      "type": "string",
+      "const": "on",
+      "description": "Can the client can use the deprecated 'implicit' flow" 
+    },
+    "allowRefreshToken": {
+      "type": "string",
+      "const": "on",
+      "description": "Is the client allowed to refresh tokens" 
+    },
+    "allowPassword": {
+      "type": "string",
+      "const": "on",
+      "description": "Can the client can use the 'password' flow flow" 
+    },
+    "redirectUris": {
+      "type": "string",
+      "description": "List of redirect uris for the authorization_code and implicit flows." 
+    },
+    "requirePkce": {
+      "type": "string",
+      "const": "on",
+      "description": "Require 'Proof of Key Code Exchange' for authorization_code flow. If not set, PKCE is supported but not enforced."
+    }
+  }
+}
diff --git a/src/api-types.ts b/src/api-types.ts
@@ -5,6 +5,50 @@
  * and run json-schema-to-typescript to regenerate this file.
  */
 
+/**
+ * This is the request body used by the HTML form submission for editing new OAuth2 Clients (credentials)
+ */
+export interface AppClientEditFormBody {
+  /**
+   * Can the client can use the 'client_credentials' flow
+   */
+  allowClientCredentials?: "on";
+  /**
+   * Can the client can use the 'authorization_code' flow
+   */
+  allowAuthorizationCode?: "on";
+  /**
+   * Can the client can use the OAuth 2.0 for First Party Applications flow
+   */
+  allowAuthorizationChallenge?: "on";
+  /**
+   * Can the client can use the deprecated 'implicit' flow
+   */
+  allowImplicit?: "on";
+  /**
+   * Is the client allowed to refresh tokens
+   */
+  allowRefreshToken?: "on";
+  /**
+   * Can the client can use the 'password' flow flow
+   */
+  allowPassword?: "on";
+  /**
+   * List of redirect uris for the authorization_code and implicit flows.
+   */
+  redirectUris?: string;
+  /**
+   * Require 'Proof of Key Code Exchange' for authorization_code flow. If not set, PKCE is supported but not enforced.
+   */
+  requirePkce?: "on";
+}
+/* eslint-disable */
+/**
+ * This file was automatically generated by json-schema-to-typescript.
+ * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file,
+ * and run json-schema-to-typescript to regenerate this file.
+ */
+
 /**
  * This is the request body used by the HTML form submission for creating new OAuth2 Clients (credentials)
  */

diff --git a/src/app-client/controller/edit.ts b/src/app-client/controller/edit.ts
@@ -6,6 +6,7 @@ import { PrincipalService } from '../../principal/service.js';
 import { findByClientId, edit } from '../service.js';
 import * as oauth2Service from '../../oauth2/service.js';
 import { GrantType } from '../../types.js';
+import { AppClientEditFormBody } from '../../api-types.js';
 
 class EditClientController extends Controller {
 
@@ -28,6 +29,7 @@ class EditClientController extends Controller {
 
   async post(ctx: Context<any>) {
 
+    ctx.request.validate<AppClientEditFormBody>('https://curveballjs.org/schemas/a12nserver/app-client-edit-form.json');
     const principalService = new PrincipalService(ctx.privileges);
     const app = await principalService.findByExternalId(ctx.params.id, 'app');
     if (!ctx.privileges.has('admin')) {
@@ -59,14 +61,17 @@ class EditClientController extends Controller {
       allowedGrantTypes.push('authorization_challenge');
     }
 
-    const redirectUris = ctx.request.body.redirectUris.trim().split(/\r\n|\n/).filter((line:string) => !!line);
+    let redirectUris: string[] = [];
+    if (ctx.request.body.redirectUris && typeof ctx.request.body.redirectUris === 'string') {
+      redirectUris = ctx.request.body.redirectUris.trim().split(/\r\n|\n/).filter((line:string) => !!line);
+    }
 
     if (!allowedGrantTypes) {
       throw new UnprocessableContent('You must specify the allowedGrantTypes property');
     }
 
     client.allowedGrantTypes = allowedGrantTypes;
-    client.requirePkce = ctx.request.body.requirePkce ?? false,
+    client.requirePkce = !!ctx.request.body.requirePkce;
 
     await edit(client, redirectUris);
     ctx.redirect(303, client.href);