dunkirk.sh
my own indieAuth provider!
indiko.dunkirk.sh/docs
indieauth
oauth2-server
bug: allow not sending redirect url
+6
-6
+6
-6
src/routes/indieauth.ts
+6
-6
src/routes/indieauth.ts
···
1771
1771
}
1772
1772
}
1773
1773
1774
-
if (!code || !client_id || !redirect_uri) {
1775
-
console.error("Token endpoint: missing parameters", {
1774
+
if (!code || !client_id) {
1775
+
console.error("Token endpoint: missing required parameters", {
1776
1776
code: !!code,
1777
1777
client_id: !!client_id,
1778
-
redirect_uri: !!redirect_uri,
1779
1778
});
1780
1779
return Response.json(
1781
1780
{
1782
1781
error: "invalid_request",
1783
-
error_description: "Missing required parameters",
1782
+
error_description: "Missing required parameters (code, client_id)",
1784
1783
},
1785
1784
{ status: 400 },
1786
1785
);
···
1875
1874
);
1876
1875
}
1877
1876
1878
-
// Verify redirect_uri matches
1879
-
if (authcode.redirect_uri !== redirect_uri) {
1877
+
// Verify redirect_uri matches if provided (per OAuth 2.0 RFC 6749 section 4.1.3)
1878
+
// redirect_uri is REQUIRED if it was included in the authorization request
1879
+
if (redirect_uri && authcode.redirect_uri !== redirect_uri) {
1880
1880
console.error("Token endpoint: redirect_uri mismatch", {
1881
1881
stored: authcode.redirect_uri,
1882
1882
received: redirect_uri,