More secure redirect URIs

2 files changed, 24 insertions, 0 deletions

diff --git a/src/api/clients.rs b/src/api/clients.rs
index 27ef995..3f906bb 100644
--- a/src/api/clients.rs
+++ b/src/api/clients.rs
@@ -418,6 +418,16 @@ async fn update_client_redirect_uris(
 	let db = db.get_ref();
 	let id = *id;
 
+	for uri in body.0.iter() {
+		if uri.scheme() != "https" {
+			yeet!(CreateClientError::NonHttpsUri.into());
+		}
+
+		if uri.fragment().is_some() {
+			yeet!(CreateClientError::UriFragment.into())
+		}
+	}
+
 	if !db::client_id_exists(db, id).await.unwrap() {
 		yeet!(ClientNotFound::new(id).into());
 	}
diff --git a/src/models/client.rs b/src/models/client.rs
index 56b0ae6..38be37f 100644
--- a/src/models/client.rs
+++ b/src/models/client.rs
@@ -60,6 +60,10 @@ pub enum CreateClientError {
 	NoSecret,
 	#[error("Only confidential clients may be trusted")]
 	TrustedError,
+	#[error("Redirect URIs must not include a fragment component")]
+	UriFragment,
+	#[error("Redirect URIs must use HTTPS")]
+	NonHttpsUri,
 }
 
 impl ResponseError for CreateClientError {
@@ -93,6 +97,16 @@ impl Client {
 			yeet!(CreateClientError::TrustedError.into());
 		}
 
+		for redirect_uri in redirect_uris {
+			if redirect_uri.scheme() != "https" {
+				yeet!(CreateClientError::NonHttpsUri.into())
+			}
+
+			if redirect_uri.fragment().is_some() {
+				yeet!(CreateClientError::UriFragment.into())
+			}
+		}
+
 		Ok(Self {
 			id,
 			alias: Box::from(alias),