Fix/exchange auth code sanitize redirect uri

.gitignore

@@ -24,4 +24,4 @@ dist-ssr
 *.sw?
 coverage
 
-api_
+api_

lib/sessionManager/types.ts

@@ -48,9 +48,9 @@ export type StorageSettingsType = {
   onRefreshHandler?: (refreshType: RefreshType) => Promise<RefreshTokenResult>;
 };
 
-export abstract class SessionBase<V extends string = StorageKeys>
-  implements SessionManager<V>
-{
+export abstract class SessionBase<
+  V extends string = StorageKeys,
+> implements SessionManager<V> {
   abstract asyncStore: boolean;
   private listeners: Set<StoreListener> = new Set();
   private notificationScheduled = false;

lib/utils/exchangeAuthCode.test.ts

@@ -618,4 +618,69 @@ describe("exchangeAuthCode", () => {
       ),
     });
   });
+
+  it("sends a sanitized redirect_uri so /token matches the /authorize value", async () => {
+    const store = new MemoryStorage();
+    setActiveStorage(store);
+
+    await store.setItems({
+      [StorageKeys.state]: "abc",
+      [StorageKeys.codeVerifier]: "verifier",
+    });
+
+    const urlParams = new URLSearchParams({ state: "abc", code: "xyz" });
+
+    fetchMock.mockResponseOnce(
+      JSON.stringify({
+        access_token: "access_token",
+        refresh_token: "refresh_token",
+        id_token: "id_token",
+      }),
+    );
+
+    await exchangeAuthCode({
+      urlParams,
+      domain: "https://example.kinde.com",
+      clientId: "test-client",
+      redirectURL: "https://app.example.com/",
+    });
+
+    const [, requestInit] = fetchMock.mock.calls.at(-1)!;
+    const body = requestInit?.body as URLSearchParams;
+
+    expect(body.get("redirect_uri")).toBe("https://app.example.com");
+  });
+
+  it("preserves raw redirect_uri when disableUrlSanitization is true", async () => {
+    const store = new MemoryStorage();
+    setActiveStorage(store);
+
+    await store.setItems({
+      [StorageKeys.state]: "abc",
+      [StorageKeys.codeVerifier]: "verifier",
+    });
+
+    const urlParams = new URLSearchParams({ state: "abc", code: "xyz" });
+
+    fetchMock.mockResponseOnce(
+      JSON.stringify({
+        access_token: "access_token",
+        refresh_token: "refresh_token",
+        id_token: "id_token",
+      }),
+    );
+
+    await exchangeAuthCode({
+      urlParams,
+      domain: "https://example.kinde.com",
+      clientId: "test-client",
+      redirectURL: "https://app.example.com/",
+      disableUrlSanitization: true,
+    });
+
+    const [, requestInit] = fetchMock.mock.calls.at(-1)!;
+    const body = requestInit?.body as URLSearchParams;
+
+    expect(body.get("redirect_uri")).toBe("https://app.example.com/");
+  });
 });

lib/utils/exchangeAuthCode.ts

@@ -9,6 +9,7 @@ import {
 import { isCustomDomain } from ".";
 import { clearRefreshTimer, setRefreshTimer } from "./refreshTimer";
 import { isClient } from "./isClient";
+import { sanitizeUrl } from "./sanitizeUrl";
 
 export const frameworkSettings: {
   framework: string;
@@ -28,6 +29,7 @@ interface ExchangeAuthCodeParams {
   redirectURL: string;
   autoRefresh?: boolean;
   onRefresh?: (data: RefreshTokenResult) => void;
+  disableUrlSanitization?: boolean;
 }
 
 type ExchangeAuthCodeResultSuccess = {
@@ -72,6 +74,7 @@ export const exchangeAuthCode = async ({
   redirectURL,
   autoRefresh = false,
   onRefresh,
+  disableUrlSanitization = false,
 }: ExchangeAuthCodeParams): Promise<ExchangeAuthCodeResult> => {
   const state = urlParams.get("state");
   const code = urlParams.get("code");
@@ -143,7 +146,9 @@ export const exchangeAuthCode = async ({
     code,
     code_verifier: codeVerifier,
     grant_type: "authorization_code",
-    redirect_uri: redirectURL,
+    redirect_uri: disableUrlSanitization
+      ? redirectURL
+      : sanitizeUrl(redirectURL),
   });
 
   if (clientSecret) {