From 7cd181df71ebac46c1c6a0ffb00ad81f82b62f3a Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Tue, 6 May 2025 13:08:40 -0400
Subject: [PATCH] improve type checks in POST /api/v1/apps endpoint

---
 .../src/server/api/mastodon/endpoints/apps.ts     | 15 ++++++++-------
 packages/megalodon/src/misskey.ts                 | 12 ++++++------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/packages/backend/src/server/api/mastodon/endpoints/apps.ts b/packages/backend/src/server/api/mastodon/endpoints/apps.ts
index ec08600e53..aae6103146 100644
--- a/packages/backend/src/server/api/mastodon/endpoints/apps.ts
+++ b/packages/backend/src/server/api/mastodon/endpoints/apps.ts
@@ -47,9 +47,9 @@ const writeScope = [
 
 export interface AuthPayload {
 	scopes?: string | string[],
-	redirect_uris?: string,
-	client_name?: string,
-	website?: string,
+	redirect_uris?: string | string[],
+	client_name?: string | string[],
+	website?: string | string[],
 }
 
 // Not entirely right, but it gets TypeScript to work so *shrug*
@@ -66,7 +66,10 @@ export class ApiAppsMastodon {
 			const body = _request.body ?? _request.query;
 			if (!body.scopes) return reply.code(400).send({ error: 'BAD_REQUEST', error_description: 'Missing required payload "scopes"' });
 			if (!body.redirect_uris) return reply.code(400).send({ error: 'BAD_REQUEST', error_description: 'Missing required payload "redirect_uris"' });
+			if (Array.isArray(body.redirect_uris)) return reply.code(400).send({ error: 'BAD_REQUEST', error_description: 'Invalid payload "redirect_uris": only one value is allowed' });
 			if (!body.client_name) return reply.code(400).send({ error: 'BAD_REQUEST', error_description: 'Missing required payload "client_name"' });
+			if (Array.isArray(body.client_name)) return reply.code(400).send({ error: 'BAD_REQUEST', error_description: 'Invalid payload "client_name": only one value is allowed' });
+			if (Array.isArray(body.website)) return reply.code(400).send({ error: 'BAD_REQUEST', error_description: 'Invalid payload "website": only one value is allowed' });
 
 			let scope = body.scopes;
 			if (typeof scope === 'string') {
@@ -87,12 +90,10 @@ export class ApiAppsMastodon {
 				}
 			}
 
-			const red = body.redirect_uris;
-
 			const client = this.clientService.getClient(_request);
 			const appData = await client.registerApp(body.client_name, {
 				scopes: Array.from(pushScope),
-				redirect_uris: red,
+				redirect_uri: body.redirect_uris,
 				website: body.website,
 			});
 
@@ -100,7 +101,7 @@ export class ApiAppsMastodon {
 				id: Math.floor(Math.random() * 100).toString(),
 				name: appData.name,
 				website: body.website,
-				redirect_uri: red,
+				redirect_uri: body.redirect_uris,
 				client_id: Buffer.from(appData.url || '').toString('base64'),
 				client_secret: appData.clientSecret,
 			};
diff --git a/packages/megalodon/src/misskey.ts b/packages/megalodon/src/misskey.ts
index a7d604de26..cfca2c291c 100644
--- a/packages/megalodon/src/misskey.ts
+++ b/packages/megalodon/src/misskey.ts
@@ -39,9 +39,9 @@ export default class Misskey implements MegalodonInterface {
 
   public async registerApp(
     client_name: string,
-    options: Partial<{ scopes: Array<string>; redirect_uris: string; website: string }> = {
+    options: Partial<{ scopes: Array<string>; redirect_uri: string; website: string }> = {
       scopes: MisskeyAPI.DEFAULT_SCOPE,
-      redirect_uris: this.baseUrl
+      redirect_uri: this.baseUrl
     }
   ): Promise<OAuth.AppData> {
     return this.createApp(client_name, options).then(async appData => {
@@ -62,12 +62,12 @@ export default class Misskey implements MegalodonInterface {
    */
   public async createApp(
     client_name: string,
-    options: Partial<{ scopes: Array<string>; redirect_uris: string; website: string }> = {
+    options: Partial<{ scopes: Array<string>; redirect_uri: string; website: string }> = {
       scopes: MisskeyAPI.DEFAULT_SCOPE,
-      redirect_uris: this.baseUrl
+      redirect_uri: this.baseUrl
     }
   ): Promise<OAuth.AppData> {
-    const redirect_uris = options.redirect_uris || this.baseUrl
+    const redirect_uri = options.redirect_uri || this.baseUrl
     const scopes = options.scopes || MisskeyAPI.DEFAULT_SCOPE
 
     const params: {
@@ -79,7 +79,7 @@ export default class Misskey implements MegalodonInterface {
       name: client_name,
       description: '',
       permission: scopes,
-      callbackUrl: redirect_uris
+      callbackUrl: redirect_uri
     }
 
     /**