Skip to content

Commit

Permalink
fix: reject unsupported token_type values
Browse files Browse the repository at this point in the history
As per https://datatracker.ietf.org/doc/html/rfc6749#section-7.1

> The client MUST NOT use an access token if it does not understand
> the token type.
  • Loading branch information
panva committed May 18, 2022
1 parent 4ba426f commit 3d2cc0c
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2125,6 +2125,10 @@ async function processGenericAccessTokenResponse(
// @ts-expect-error
json.token_type = json.token_type.toLowerCase()

if (json.token_type !== 'dpop' && json.token_type !== 'bearer') {
throw new UnsupportedOperationError('unsupported `token_type` value')
}

if (
json.expires_in !== undefined &&
(typeof json.expires_in !== 'number' || json.expires_in <= 0)
Expand Down

0 comments on commit 3d2cc0c

Please sign in to comment.