fix(oauth): harden refresh token refresh-response validation

2026-04-19 06:47:26 +00:00 · 2026-02-21 13:44:04 +01:00
parent 24d18d0d72
commit 6cb7e16d40
5 changed files with 93 additions and 6 deletions
--- a/src/providers/qwen-portal-oauth.test.ts
+++ b/src/providers/qwen-portal-oauth.test.ts
@@ -58,6 +58,48 @@ describe("refreshQwenPortalCredentials", () => {
    expect(result.refresh).toBe("old-refresh");
  });

+  it("keeps refresh token when response sends an empty refresh token", async () => {
+    const fetchSpy = vi.fn().mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        access_token: "new-access",
+        refresh_token: "",
+        expires_in: 1800,
+      }),
+    });
+    vi.stubGlobal("fetch", fetchSpy);
+
+    const result = await refreshQwenPortalCredentials({
+      access: "old-access",
+      refresh: "old-refresh",
+      expires: Date.now() - 1000,
+    });
+
+    expect(result.refresh).toBe("old-refresh");
+  });
+
+  it("errors when refresh response has invalid expires_in", async () => {
+    const fetchSpy = vi.fn().mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        access_token: "new-access",
+        refresh_token: "new-refresh",
+        expires_in: 0,
+      }),
+    });
+    vi.stubGlobal("fetch", fetchSpy);
+
+    await expect(
+      refreshQwenPortalCredentials({
+        access: "old-access",
+        refresh: "old-refresh",
+        expires: Date.now() - 1000,
+      }),
+    ).rejects.toThrow("Qwen OAuth refresh response missing or invalid expires_in");
+  });
+
  it("errors when refresh token is invalid", async () => {
    const fetchSpy = vi.fn().mockResolvedValue({
      ok: false,
--- a/src/providers/qwen-portal-oauth.ts
+++ b/src/providers/qwen-portal-oauth.ts
@@ -8,7 +8,8 @@ const QWEN_OAUTH_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
 export async function refreshQwenPortalCredentials(
  credentials: OAuthCredentials,
 ): Promise<OAuthCredentials> {
-  if (!credentials.refresh?.trim()) {
+  const refreshToken = credentials.refresh?.trim();
+  if (!refreshToken) {
    throw new Error("Qwen OAuth refresh token missing; re-authenticate.");
  }

@@ -20,7 +21,7 @@ export async function refreshQwenPortalCredentials(
    },
    body: new URLSearchParams({
      grant_type: "refresh_token",
-      refresh_token: credentials.refresh,
+      refresh_token: refreshToken,
      client_id: QWEN_OAUTH_CLIENT_ID,
    }),
  });
@@ -40,15 +41,22 @@ export async function refreshQwenPortalCredentials(
    refresh_token?: string;
    expires_in?: number;
  };
+  const accessToken = payload.access_token?.trim();
+  const newRefreshToken = payload.refresh_token?.trim();
+  const expiresIn = payload.expires_in;

-  if (!payload.access_token || !payload.expires_in) {
+  if (!accessToken) {
    throw new Error("Qwen OAuth refresh response missing access token.");
  }
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new Error("Qwen OAuth refresh response missing or invalid expires_in.");
+  }

  return {
    ...credentials,
-    access: payload.access_token,
-    refresh: payload.refresh_token || credentials.refresh,
-    expires: Date.now() + payload.expires_in * 1000,
+    access: accessToken,
+    // RFC 6749 section 6: new refresh token is optional; if present, replace old.
+    refresh: newRefreshToken || refreshToken,
+    expires: Date.now() + expiresIn * 1000,
  };
 }