client: require that the resource returned by PRM matches the server resource

ochafik · ochafik · commit 5b63dd6805b0 · 2025-06-17T18:07:12.000+01:00
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -110,6 +110,9 @@ export async function auth(
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
+    if (!resourceMetadata.resource || resourceMetadata.resource !== resource.href) {
+      throw new Error(`Resource returned by RFC9728 PRM (${resourceMetadata.resource}) doesn't match the expected resource ${resource.href}`);
+    }
   } catch (error) {
     console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
   }

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,9 @@ export async function auth(`
`110`	`110`	`if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {`
`111`	`111`	`authorizationServerUrl = resourceMetadata.authorization_servers[0];`
`112`	`112`	`}`
	`113`	`+ if (!resourceMetadata.resource \|\| resourceMetadata.resource !== resource.href) {`
	`114`	+ throw new Error(`Resource returned by RFC9728 PRM (${resourceMetadata.resource}) doesn't match the expected resource ${resource.href}`);
	`115`	`+ }`
`113`	`116`	`} catch (error) {`
`114`	`117`	`console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)`
`115`	`118`	`}`