added warning in docs, added extra tests that actually use parameters

Author: jorenvandeweyer

docs/model/spec.rst

@@ -1015,6 +1015,11 @@ This model function is **optional**. If not implemented, the ``redirectUri`` sho
 Returns ``true`` if the ``redirectUri`` is valid, ``false`` otherwise.
 
 **Remarks:**
+When implementing this method you should take care of possible security risks related to ``redirectUri``.
+.. _rfc6819: https://datatracker.ietf.org/doc/html/rfc6819
+
+Section-5.2.3.5 is implemented by default.
+.. _Section-5.2.3.5: https://datatracker.ietf.org/doc/html/rfc6819#section-5.2.3.5
 
 ::
 

test/integration/handlers/authorize-handler_test.js

@@ -635,7 +635,7 @@ describe('AuthorizeHandler integration', function() {
   });
 
   describe('validateRedirectUri()', function() {
-    it('should support empty model', function() {
+    it('should support empty method', function() {
       const model = {
         getAccessToken: function() {},
         getClient: function() {},

test/unit/handlers/authorize-handler_test.js

@@ -128,5 +128,51 @@ describe('AuthorizeHandler', function() {
         })
         .catch(should.fail);
     });
+
+    it('should be successful validation', function () {
+      const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
+      const redirect_uri = 'http://example.com/cb';
+      const model = {
+        getAccessToken: function() {},
+        getClient: sinon.stub().returns(client),
+        saveAuthorizationCode: function() {},
+        validateRedirectUri: function (redirectUri, client) {
+          return client.redirectUris.includes(redirectUri);
+        }
+      };
+
+      const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+      const request = new Request({ body: { client_id: 12345, client_secret: 'secret', redirect_uri }, headers: {}, method: {}, query: {} });
+
+      return handler.getClient(request)
+        .then((client) => {
+          client.should.equal(client);
+        });
+    });
+
+    it('should be unsuccessful validation', function () {
+      const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] };
+      const redirect_uri = 'http://example.com/callback';
+      const model = {
+        getAccessToken: function() {},
+        getClient: sinon.stub().returns(client),
+        saveAuthorizationCode: function() {},
+        validateRedirectUri: function (redirectUri, client) {
+          return client.redirectUris.includes(redirectUri);
+        }
+      };
+
+      const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
+      const request = new Request({ body: { client_id: 12345, client_secret: 'secret', redirect_uri }, headers: {}, method: {}, query: {} });
+
+      return handler.getClient(request)
+        .then(() => {
+          throw Error('should not resolve');
+        })
+        .catch((err) => {
+          err.name.should.equal('invalid_client');
+          err.message.should.equal('Invalid client: `redirect_uri` does not match client value');
+        });
+    });
   });
 });