dunkirk.sh
my own indieAuth provider!
indiko.dunkirk.sh/docs
indieauth
oauth2-server
bug: allow not sending redirect url
+6
-6
+6
-6
src/routes/indieauth.ts
+6
-6
src/routes/indieauth.ts
···
1775
1775
}
1776
1776
}
1777
1777
1778
-
if (!code || !client_id || !redirect_uri) {
1779
-
console.error("Token endpoint: missing parameters", {
1778
+
if (!code || !client_id) {
1779
+
console.error("Token endpoint: missing required parameters", {
1780
1780
code: !!code,
1781
1781
client_id: !!client_id,
1782
-
redirect_uri: !!redirect_uri,
1783
1782
});
1784
1783
return Response.json(
1785
1784
{
1786
1785
error: "invalid_request",
1787
-
error_description: "Missing required parameters",
1786
+
error_description: "Missing required parameters (code, client_id)",
1788
1787
},
1789
1788
{ status: 400 },
1790
1789
);
···
1879
1878
);
1880
1879
}
1881
1880
1882
-
// Verify redirect_uri matches
1883
-
if (authcode.redirect_uri !== redirect_uri) {
1881
+
// Verify redirect_uri matches if provided (per OAuth 2.0 RFC 6749 section 4.1.3)
1882
+
// redirect_uri is REQUIRED if it was included in the authorization request
1883
+
if (redirect_uri && authcode.redirect_uri !== redirect_uri) {
1884
1884
console.error("Token endpoint: redirect_uri mismatch", {
1885
1885
stored: authcode.redirect_uri,
1886
1886
received: redirect_uri,