package codersdk

import (

"net/url"

"slices"

"strings"

"golang.org/x/xerrors"

)

// RFC 7591 validation functions for Dynamic Client Registration

func (req *OAuth2ClientRegistrationRequest) Validate() error {

// Validate redirect URIs - required for authorization code flow

if len(req.RedirectURIs) == 0 {

return xerrors.New("redirect_uris is required for authorization code flow")

}

if err := validateRedirectURIs(req.RedirectURIs, req.TokenEndpointAuthMethod); err != nil {

return xerrors.Errorf("invalid redirect_uris: %w", err)

}

// Validate grant types if specified

if len(req.GrantTypes) > 0 {

if err := validateGrantTypes(req.GrantTypes); err != nil {

return xerrors.Errorf("invalid grant_types: %w", err)

}

}

// Validate response types if specified

if len(req.ResponseTypes) > 0 {

if err := validateResponseTypes(req.ResponseTypes); err != nil {

return xerrors.Errorf("invalid response_types: %w", err)

}

}

// Validate token endpoint auth method if specified

if req.TokenEndpointAuthMethod != "" {

if err := validateTokenEndpointAuthMethod(req.TokenEndpointAuthMethod); err != nil {

return xerrors.Errorf("invalid token_endpoint_auth_method: %w", err)

}

}

// Validate URI fields

if req.ClientURI != "" {

if err := validateURIField(req.ClientURI, "client_uri"); err != nil {

return err

}

}

if req.LogoURI != "" {

if err := validateURIField(req.LogoURI, "logo_uri"); err != nil {

return err

}

}

if req.TOSURI != "" {

if err := validateURIField(req.TOSURI, "tos_uri"); err != nil {

return err

}

}

if req.PolicyURI != "" {

if err := validateURIField(req.PolicyURI, "policy_uri"); err != nil {

return err

}

}

if req.JWKSURI != "" {

if err := validateURIField(req.JWKSURI, "jwks_uri"); err != nil {

return err

}

}

return nil

}

// ValidateRedirectURIScheme reports whether the callback URL's scheme is

// safe to use as a redirect target. It returns an error when the scheme

// is empty, an unsupported URN, or one of the schemes that are dangerous

// in browser/HTML contexts (javascript, data, file, ftp).

//

// Legitimate custom schemes for native apps (e.g. vscode://, jetbrains://)

// are allowed.

// ValidateRedirectURIScheme reports whether the callback URL's scheme is

// safe to use as a redirect target. It returns an error when the scheme

// is empty, an unsupported URN, or one of the schemes that are dangerous

// in browser/HTML contexts (javascript, data, file, ftp).

//

// Legitimate custom schemes for native apps (e.g. vscode://, jetbrains://)

// are allowed.

func ValidateRedirectURIScheme(u *url.URL) error {

return validateScheme(u)

}

func validateScheme(u *url.URL) error {

if u.Scheme == "" {

return xerrors.New("redirect URI must have a scheme")

}

// Handle special URNs (RFC 6749 section 3.1.2.1).

if u.Scheme == "urn" {

if u.String() == "urn:ietf:wg:oauth:2.0:oob" {

return nil

}

return xerrors.New("redirect URI uses unsupported URN scheme")

}

// Block dangerous schemes for security (not allowed by RFCs

// for OAuth2).

dangerousSchemes := []string{"javascript", "data", "file", "ftp"}

for _, dangerous := range dangerousSchemes {

if strings.EqualFold(u.Scheme, dangerous) {

return xerrors.Errorf("redirect URI uses dangerous scheme %s which is not allowed", dangerous)

}

}

return nil

}

// validateRedirectURIs validates redirect URIs according to RFC 7591, 8252

func validateRedirectURIs(uris []string, tokenEndpointAuthMethod OAuth2TokenEndpointAuthMethod) error {

if len(uris) == 0 {

return xerrors.New("at least one redirect URI is required")

}

for i, uriStr := range uris {

if uriStr == "" {

return xerrors.Errorf("redirect URI at index %d cannot be empty", i)

}

uri, err := url.Parse(uriStr)

if err != nil {

return xerrors.Errorf("redirect URI at index %d is not a valid URL: %w", i, err)

}

if err := validateScheme(uri); err != nil {

return xerrors.Errorf("redirect URI at index %d: %w", i, err)

}

// The urn:ietf:wg:oauth:2.0:oob scheme passed validation

// above but needs no further checks.

if uri.Scheme == "urn" {

continue

}

// Determine if this is a public client based on token endpoint auth method

isPublicClient := tokenEndpointAuthMethod == OAuth2TokenEndpointAuthMethodNone

// Handle different validation for public vs confidential clients

if uri.Scheme == "http" || uri.Scheme == "https" {

// HTTP/HTTPS validation (RFC 8252 section 7.3)

if uri.Scheme == "http" {

if isPublicClient {

// For public clients, only allow loopback (RFC 8252)

if !isLoopbackAddress(uri.Hostname()) {

return xerrors.Errorf("redirect URI at index %d: public clients may only use http with loopback addresses (127.0.0.1, ::1, localhost)", i)

}

} else {

// For confidential clients, allow localhost for development

if !isLocalhost(uri.Hostname()) {

return xerrors.Errorf("redirect URI at index %d must use https scheme for non-localhost URLs", i)

}

}

}

} else {

// Custom scheme validation for public clients (RFC 8252 section 7.1)

if isPublicClient {

// For public clients, custom schemes should follow RFC 8252 recommendations

// Should be reverse domain notation based on domain under their control

if !isValidCustomScheme(uri.Scheme) {

return xerrors.Errorf("redirect URI at index %d: custom scheme %s should use reverse domain notation (e.g. com.example.app)", i, uri.Scheme)

}

}

// For confidential clients, custom schemes are less common but allowed

}

// Prevent URI fragments (RFC 6749 section 3.1.2)

if uri.Fragment != "" || strings.Contains(uriStr, "#") {

return xerrors.Errorf("redirect URI at index %d must not contain a fragment component", i)

}

}

return nil

}

// validateGrantTypes validates OAuth2 grant types

func validateGrantTypes(grantTypes []OAuth2ProviderGrantType) error {

for _, grant := range grantTypes {

if !isSupportedGrantType(grant) {

return xerrors.Errorf("unsupported grant type: %s", grant)

}

}

// Ensure authorization_code is present if redirect_uris are specified

hasAuthCode := slices.Contains(grantTypes, OAuth2ProviderGrantTypeAuthorizationCode)

if !hasAuthCode {

return xerrors.New("authorization_code grant type is required when redirect_uris are specified")

}

return nil

}

func isSupportedGrantType(grant OAuth2ProviderGrantType) bool {

switch grant {

case OAuth2ProviderGrantTypeAuthorizationCode, OAuth2ProviderGrantTypeRefreshToken:

return true

}

return false

}

// validateResponseTypes validates OAuth2 response types

func validateResponseTypes(responseTypes []OAuth2ProviderResponseType) error {

for _, responseType := range responseTypes {

if !isSupportedResponseType(responseType) {

return xerrors.Errorf("unsupported response type: %s", responseType)

}

}

return nil

}

func isSupportedResponseType(responseType OAuth2ProviderResponseType) bool {

return responseType == OAuth2ProviderResponseTypeCode

}

// validateTokenEndpointAuthMethod validates token endpoint authentication method

func validateTokenEndpointAuthMethod(method OAuth2TokenEndpointAuthMethod) error {

if !method.Valid() {

return xerrors.Errorf("unsupported token endpoint auth method: %s", method)

}

return nil

}

// ValidatePKCECodeChallengeMethod validates PKCE code_challenge_method parameter.

// Per OAuth 2.1, only S256 is supported; plain is rejected for security reasons.

func ValidatePKCECodeChallengeMethod(method string) error {

if method == "" {

return nil // Optional, defaults to S256 if code_challenge is provided

}

m := OAuth2PKCECodeChallengeMethod(method)

if m == OAuth2PKCECodeChallengeMethodPlain {

return xerrors.New("code_challenge_method 'plain' is not supported; use 'S256'")

}

if m != OAuth2PKCECodeChallengeMethodS256 {

return xerrors.Errorf("unsupported code_challenge_method: %s", method)

}

return nil

}

// validateURIField validates a URI field

func validateURIField(uriStr, fieldName string) error {

if uriStr == "" {

return nil // Empty URIs are allowed for optional fields

}

uri, err := url.Parse(uriStr)

if err != nil {

return xerrors.Errorf("invalid %s: %w", fieldName, err)

}

// Require absolute URLs with scheme

if !uri.IsAbs() {

return xerrors.Errorf("%s must be an absolute URL", fieldName)

}

// Only allow http/https schemes

if uri.Scheme != "http" && uri.Scheme != "https" {

return xerrors.Errorf("%s must use http or https scheme", fieldName)

}

// For production, prefer HTTPS

// Note: we allow HTTP for localhost but prefer HTTPS for production

// This could be made configurable in the future

return nil

}

// isLocalhost checks if hostname is localhost (allows broader development usage)

func isLocalhost(hostname string) bool {

return hostname == "localhost" ||

hostname == "127.0.0.1" ||

hostname == "::1" ||

strings.HasSuffix(hostname, ".localhost")

}

// isLoopbackAddress checks if hostname is a strict loopback address (RFC 8252)

func isLoopbackAddress(hostname string) bool {

return hostname == "localhost" ||

hostname == "127.0.0.1" ||

hostname == "::1"

}

// isValidCustomScheme validates custom schemes for public clients (RFC 8252)

func isValidCustomScheme(scheme string) bool {

// For security and RFC compliance, require reverse domain notation

// Should contain at least one period and not be a well-known scheme

if !strings.Contains(scheme, ".") {

return false

}

// Block schemes that look like well-known protocols

wellKnownSchemes := []string{"http", "https", "ftp", "mailto", "tel", "sms"}

for _, wellKnown := range wellKnownSchemes {

if strings.EqualFold(scheme, wellKnown) {

return false

}

}

return true

}