Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate current window origin and redirecturi origin to prevent mismatches #615

Merged
merged 3 commits into from
Jan 16, 2018
Merged

Validate current window origin and redirecturi origin to prevent mismatches #615

merged 3 commits into from
Jan 16, 2018

Conversation

luisrudge
Copy link
Contributor

@luisrudge luisrudge commented Dec 29, 2017
edited
Loading

No description provided.

@luisrudge luisrudge changed the title Validate current window origin and redirecturi origin to prevent mism… Validate current window origin and redirecturi origin to prevent mismatches Dec 29, 2017
@luisrudge luisrudge added this to the v9.1.0 milestone Dec 29, 2017
cocojoe
cocojoe reviewed Jan 16, 2018
View reviewed changes
src/helper/window.js
var origin = location.origin;
if (!origin) {
origin =
location.protocol + '//' + location.hostname + (location.port ? ':' + location.port : '');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the new line?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

prettier auto formatting.

src/web-auth/index.js
@@ -387,7 +388,7 @@ WebAuth.prototype.checkSession = function(options, cb) {
.with(options);

if (params.responseType === 'code') {
return cb(new Error("responseType can't be `code`"));
return cb({ error: 'error', error_description: "responseType can't be `code`" });
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why has this changed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was wrong before. you couldn't catch the error because it was not using the standard error formatting {error, error_description}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok good was wondering that

src/web-auth/web-message-handler.js
@@ -11,8 +12,10 @@ function runWebMessageFlow(authorizeUrl, options, callback) {
timeout: options.timeout,
eventValidator: {
isValid: function(eventData) {
return eventData.event.data.type === 'authorization_response'
&& options.state === eventData.event.data.response.state;
return (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also prettier

cocojoe
cocojoe approved these changes Jan 16, 2018
View reviewed changes
Copy link
Member

@cocojoe cocojoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@luisrudge luisrudge merged commit ce402c8 into master Jan 16, 2018
@luisrudge luisrudge mentioned this pull request Jan 16, 2018
Merged
@luisrudge luisrudge deleted the fix-checksession-redirecturl branch January 22, 2018 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cocojoe cocojoe cocojoe approved these changes

Assignees
No one assigned
Labels
CH: Changed
Projects
None yet
Milestone
v9.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@luisrudge @cocojoe