fix: reject malformed dpop htu with a clearer message

Author: panva

lib/helpers/validate_dpop.js

@@ -84,7 +84,9 @@ export default async (ctx, accessToken) => {
     {
       const expected = new URL(ctx.oidc.urlFor(ctx.oidc.route)).href;
       const actual = URL.parse(payload.htu);
-      if (!actual) return false;
+      if (!actual) {
+        throw new InvalidDpopProof('DPoP proof htu mismatch');
+      }
       actual.hash = '';
       actual.search = '';
 

test/dpop/dpop.test.js

@@ -967,6 +967,16 @@ describe('features.dPoP', () => {
         .expect(400)
         .expect({ error: 'invalid_dpop_proof', error_description: 'invalid DPoP key binding' });
     });
+
+    it('should be 400 for malformed htu', async function () {
+      await this.agent.post('/token')
+        .auth('client', 'secret')
+        .send({ grant_type: 'client_credentials' })
+        .set('DPoP', await DPoP(this.keypair, 'not a url', 'POST'))
+        .type('form')
+        .expect(400)
+        .expect({ error: 'invalid_dpop_proof', error_description: 'DPoP proof htu mismatch' });
+    });
   });
 
   describe('invalid nonce', () => {