Handle POST bodies in /authorize

Author: jspahrsummers

src/server/auth/handlers/authorize.test.ts

@@ -306,7 +306,8 @@ describe('Authorization Handler', () => {
  it('handles POST requests the same as GET', async () => {
  const response = await supertest(app)
  .post('/authorize')
- .query({
+ .type('form')
+ .send({
  client_id: 'valid-client',
  response_type: 'code',
  code_challenge: 'challenge123',

src/server/auth/handlers/authorize.ts

@@ -33,6 +33,7 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
  // Create a router to apply middleware
  const router = express.Router();
  router.use(allowedMethods(["GET", "POST"]));
+ router.use(express.urlencoded({ extended: false }));
 
  // Apply rate limiting unless explicitly disabled
  if (rateLimitConfig !== false) {
@@ -53,7 +54,8 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
  router.all("/", async (req, res) => {
  let client_id, redirect_uri;
  try {
- ({ client_id, redirect_uri } = ClientAuthorizationParamsSchema.parse(req.query));
+ const data = req.method === 'POST' ? req.body : req.query;
+ ({ client_id, redirect_uri } = ClientAuthorizationParamsSchema.parse(data));
  } catch (error) {
  res.status(400).end(`Bad Request: ${error}`);
  return;
@@ -79,7 +81,8 @@ export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: A
 
  let params;
  try {
- params = RequestAuthorizationParamsSchema.parse(req.query);
+ const authData = req.method === 'POST' ? req.body : req.query;
+ params = RequestAuthorizationParamsSchema.parse(authData);
  } catch (error) {
  const errorUrl = new URL(redirect_uri);
  errorUrl.searchParams.set("error", "invalid_request");