Bugfix: Updated URL service isCallbackFromSts

docs/site/angular-auth-oidc-client/docs/documentation/configuration.md

@@ -264,6 +264,15 @@ Override the default Security Token Service well-known endpoint postfix.
 
 This is the `redirect_url` which was configured on the Security Token Service (STS).
 
+### `checkRedirectUrlWhenCheckingIfIsCallback`
+
+- Type: `boolean`
+- Required: `false`
+
+Whether to check if current URL matches the redirect URI when determining if current URL is in fact the redirect URI.
+
+Default = _true_
+
 ### `clientId`
 
 - Type: `string`

projects/angular-auth-oidc-client/src/lib/api/data.service.spec.ts

@@ -1,5 +1,12 @@
-import { HttpHeaders, provideHttpClient, withInterceptorsFromDi } from '@angular/common/http';
-import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
+import {
+  HttpHeaders,
+  provideHttpClient,
+  withInterceptorsFromDi,
+} from '@angular/common/http';
+import {
+  HttpTestingController,
+  provideHttpClientTesting,
+} from '@angular/common/http/testing';
 import { TestBed, waitForAsync } from '@angular/core/testing';
 import { DataService } from './data.service';
 import { HttpBaseService } from './http-base.service';
@@ -10,9 +17,14 @@ describe('Data Service', () => {
 
   beforeEach(() => {
     TestBed.configureTestingModule({
-    imports: [],
-    providers: [DataService, HttpBaseService, provideHttpClient(withInterceptorsFromDi()), provideHttpClientTesting()]
-});
+      imports: [],
+      providers: [
+        DataService,
+        HttpBaseService,
+        provideHttpClient(withInterceptorsFromDi()),
+        provideHttpClientTesting(),
+      ],
+    });
   });
 
   beforeEach(() => {

projects/angular-auth-oidc-client/src/lib/auth-state/check-auth.service.ts

@@ -225,7 +225,7 @@ export class CheckAuthService {
       return of(result);
     }
 
-    const isCallback = this.callbackService.isCallback(currentUrl);
+    const isCallback = this.callbackService.isCallback(currentUrl, config);
 
     this.loggerService.logDebug(
       config,

projects/angular-auth-oidc-client/src/lib/auth.module.ts

@@ -1,11 +1,18 @@
 import { CommonModule } from '@angular/common';
-import { provideHttpClient, withInterceptorsFromDi } from '@angular/common/http';
+import {
+  provideHttpClient,
+  withInterceptorsFromDi,
+} from '@angular/common/http';
 import { ModuleWithProviders, NgModule } from '@angular/core';
 import { PassedInitialConfig } from './auth-config';
 import { _provideAuth } from './provide-auth';
 
-@NgModule({ declarations: [],
-    exports: [], imports: [CommonModule], providers: [provideHttpClient(withInterceptorsFromDi())] })
+@NgModule({
+  declarations: [],
+  exports: [],
+  imports: [CommonModule],
+  providers: [provideHttpClient(withInterceptorsFromDi())],
+})
 export class AuthModule {
   static forRoot(
     passedConfig: PassedInitialConfig

projects/angular-auth-oidc-client/src/lib/auto-login/auto-login-partial-routes.guard.spec.ts

@@ -452,8 +452,10 @@ describe(`AutoLoginPartialRoutesGuard`, () => {
         );
         const loginSpy = spyOn(loginService, 'login');
 
-        const guard$ = TestBed.runInInjectionContext(
-          () => autoLoginPartialRoutesGuard({data: {custom: 'param'}} as unknown as ActivatedRouteSnapshot)
+        const guard$ = TestBed.runInInjectionContext(() =>
+          autoLoginPartialRoutesGuard({
+            data: { custom: 'param' },
+          } as unknown as ActivatedRouteSnapshot)
         );
 
         guard$.subscribe(() => {

projects/angular-auth-oidc-client/src/lib/auto-login/auto-login-partial-routes.guard.ts

@@ -77,7 +77,9 @@ export class AutoLoginPartialRoutesGuard {
   }
 }
 
-export function autoLoginPartialRoutesGuard(route?: ActivatedRouteSnapshot): Observable<boolean> {
+export function autoLoginPartialRoutesGuard(
+  route?: ActivatedRouteSnapshot
+): Observable<boolean> {
   const configurationService = inject(ConfigurationService);
   const authStateService = inject(AuthStateService);
   const loginService = inject(LoginService);

projects/angular-auth-oidc-client/src/lib/callback/callback.service.spec.ts

@@ -41,7 +41,7 @@ describe('CallbackService ', () => {
       const urlServiceSpy = spyOn(urlService, 'isCallbackFromSts');
 
       callbackService.isCallback('anyUrl');
-      expect(urlServiceSpy).toHaveBeenCalledOnceWith('anyUrl');
+      expect(urlServiceSpy).toHaveBeenCalledOnceWith('anyUrl', undefined);
     });
   });
 

projects/angular-auth-oidc-client/src/lib/callback/callback.service.ts

@@ -26,12 +26,12 @@ export class CallbackService {
     return this.stsCallbackInternal$.asObservable();
   }
 
-  isCallback(currentUrl: string): boolean {
+  isCallback(currentUrl: string, config?: OpenIdConfiguration): boolean {
     if (!currentUrl) {
       return false;
     }
 
-    return this.urlService.isCallbackFromSts(currentUrl);
+    return this.urlService.isCallbackFromSts(currentUrl, config);
   }
 
   handleCallbackAndFireEvents(

projects/angular-auth-oidc-client/src/lib/callback/interval.service.ts

@@ -40,4 +40,3 @@ export class IntervalService {
     });
   }
 }
-

projects/angular-auth-oidc-client/src/lib/config/auth-well-known/auth-well-known-data.service.spec.ts

@@ -104,7 +104,10 @@ describe('AuthWellKnownDataService', () => {
       const urlWithSuffix = `${urlWithoutSuffix}/.well-known/test-openid-configuration`;
 
       (service as any)
-        .getWellKnownDocument(urlWithoutSuffix, { configId: 'configId1', authWellknownUrlSuffix: '/.well-known/test-openid-configuration' })
+        .getWellKnownDocument(urlWithoutSuffix, {
+          configId: 'configId1',
+          authWellknownUrlSuffix: '/.well-known/test-openid-configuration',
+        })
         .subscribe(() => {
           expect(dataServiceSpy).toHaveBeenCalledOnceWith(urlWithSuffix, {
             configId: 'configId1',

projects/angular-auth-oidc-client/src/lib/config/auth-well-known/auth-well-known.service.spec.ts

@@ -37,16 +37,17 @@ describe('AuthWellKnownService', () => {
 
   describe('getAuthWellKnownEndPoints', () => {
     it('getAuthWellKnownEndPoints throws an error if not config provided', waitForAsync(() => {
-      service
-        .queryAndStoreAuthWellKnownEndPoints(null)
-        .subscribe({
-          error: (error) => {
-            expect(error).toEqual(new Error('Please provide a configuration before setting up the module'))
-          }
-        });
+      service.queryAndStoreAuthWellKnownEndPoints(null).subscribe({
+        error: (error) => {
+          expect(error).toEqual(
+            new Error(
+              'Please provide a configuration before setting up the module'
+            )
+          );
+        },
+      });
     }));
 
-
     it('getAuthWellKnownEndPoints calls always dataservice', waitForAsync(() => {
       const dataServiceSpy = spyOn(
         dataService,

projects/angular-auth-oidc-client/src/lib/config/default-config.ts

@@ -6,6 +6,7 @@ export const DEFAULT_CONFIG: OpenIdConfiguration = {
   authWellknownEndpointUrl: '',
   authWellknownEndpoints: undefined,
   redirectUrl: 'https://please_set',
+  checkRedirectUrlWhenCheckingIfIsCallback: true,
   clientId: 'please_set',
   responseType: 'code',
   scope: 'openid email profile',

projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts

@@ -18,15 +18,21 @@ export interface OpenIdConfiguration {
   authWellknownEndpointUrl?: string;
   authWellknownEndpoints?: AuthWellKnownEndpoints;
 
-    /** 
-     * Override the default Security Token Service wellknown endpoint postfix. 
-     * 
-     * @default /.well-known/openid-configuration
-     */
+  /**
+   * Override the default Security Token Service wellknown endpoint postfix.
+   *
+   * @default /.well-known/openid-configuration
+   */
   authWellknownUrlSuffix?: string;
 
   /** The redirect URL defined on the Security Token Service. */
   redirectUrl?: string;
+  /**
+   * Whether to check if current URL matches the redirect URI when determining
+   * if current URL is in fact the redirect URI.
+   * Default: true
+   */
+  checkRedirectUrlWhenCheckingIfIsCallback?: boolean;
   /**
    * The Client MUST validate that the aud (audience) Claim contains its `client_id` value
    * registered at the Issuer identified by the iss (issuer) Claim as an audience.

projects/angular-auth-oidc-client/src/lib/config/validation/config-validation.service.ts

@@ -21,7 +21,9 @@ export class ConfigValidationService {
 
   private validateConfigsInternal(
     passedConfigs: OpenIdConfiguration[],
-    allRulesToUse: ((passedConfig: OpenIdConfiguration[]) => RuleValidationResult)[]
+    allRulesToUse: ((
+      passedConfig: OpenIdConfiguration[]
+    ) => RuleValidationResult)[]
   ): boolean {
     if (passedConfigs.length === 0) {
       return false;
@@ -47,7 +49,9 @@ export class ConfigValidationService {
 
   private validateConfigInternal(
     passedConfig: OpenIdConfiguration,
-    allRulesToUse: ((passedConfig: OpenIdConfiguration) => RuleValidationResult)[]
+    allRulesToUse: ((
+      passedConfig: OpenIdConfiguration
+    ) => RuleValidationResult)[]
   ): boolean {
     const allValidationResults = allRulesToUse.map((rule) =>
       rule(passedConfig)

projects/angular-auth-oidc-client/src/lib/flows/callback-handling/code-flow-callback-handler.service.spec.ts

@@ -54,11 +54,13 @@ describe('CodeFlowCallbackHandlerService', () => {
 
       getUrlParameterSpy.withArgs('test-url', 'state').and.returnValue('');
 
-      service.codeFlowCallback('test-url', { configId: 'configId1' }).subscribe({
-        error: (err) => {
-          expect(err).toBeTruthy();
-        },
-      });
+      service
+        .codeFlowCallback('test-url', { configId: 'configId1' })
+        .subscribe({
+          error: (err) => {
+            expect(err).toBeTruthy();
+          },
+        });
     }));
 
     it('throws error if no code is given', waitForAsync(() => {
@@ -69,11 +71,13 @@ describe('CodeFlowCallbackHandlerService', () => {
 
       getUrlParameterSpy.withArgs('test-url', 'code').and.returnValue('');
 
-      service.codeFlowCallback('test-url', { configId: 'configId1' }).subscribe({
-        error: (err) => {
-          expect(err).toBeTruthy();
-        },
-      });
+      service
+        .codeFlowCallback('test-url', { configId: 'configId1' })
+        .subscribe({
+          error: (err) => {
+            expect(err).toBeTruthy();
+          },
+        });
     }));
 
     it('returns callbackContext if all params are good', waitForAsync(() => {

projects/angular-auth-oidc-client/src/lib/flows/callback-handling/history-jwt-keys-callback-handler.service.ts

@@ -142,7 +142,12 @@ export class HistoryJwtKeysCallbackHandlerService {
   ): void {
     let validationResult = ValidationResult.SecureTokenServerError;
 
-    if (result && typeof result === 'object' && 'error' in result && (result.error as string) === 'login_required') {
+    if (
+      result &&
+      typeof result === 'object' &&
+      'error' in result &&
+      (result.error as string) === 'login_required'
+    ) {
       validationResult = ValidationResult.LoginRequired;
     }
 

projects/angular-auth-oidc-client/src/lib/iframe/check-session.service.ts

@@ -31,7 +31,7 @@ export class CheckSessionService implements OnDestroy {
 
   private checkSessionReceived = false;
 
-  private scheduledHeartBeatRunning: number|null= null
+  private scheduledHeartBeatRunning: number | null = null;
 
   private lastIFrameRefresh = 0;
 
@@ -45,7 +45,10 @@ export class CheckSessionService implements OnDestroy {
     false
   );
 
-  private iframeMessageEventListener?: (this:Window, ev: MessageEvent<any>) => any;
+  private iframeMessageEventListener?: (
+    this: Window,
+    ev: MessageEvent<any>
+  ) => any;
 
   get checkSessionChanged$(): Observable<boolean> {
     return this.checkSessionChangedInternal$.asObservable();
@@ -224,10 +227,11 @@ export class CheckSessionService implements OnDestroy {
           }
 
           this.zone.runOutsideAngular(() => {
-            this.scheduledHeartBeatRunning = this.document?.defaultView?.setTimeout(
-              () => this.zone.run(pollServerSessionRecur),
-              this.heartBeatInterval
-            ) ?? null;
+            this.scheduledHeartBeatRunning =
+              this.document?.defaultView?.setTimeout(
+                () => this.zone.run(pollServerSessionRecur),
+                this.heartBeatInterval
+              ) ?? null;
           });
         });
     };
@@ -236,7 +240,7 @@ export class CheckSessionService implements OnDestroy {
   }
 
   private clearScheduledHeartBeat(): void {
-    if(this.scheduledHeartBeatRunning !== null) {
+    if (this.scheduledHeartBeatRunning !== null) {
       clearTimeout(this.scheduledHeartBeatRunning);
       this.scheduledHeartBeatRunning = null;
     }

projects/angular-auth-oidc-client/src/lib/interceptor/auth.interceptor.spec.ts

@@ -5,7 +5,10 @@ import {
   withInterceptors,
   withInterceptorsFromDi,
 } from '@angular/common/http';
-import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
+import {
+  HttpTestingController,
+  provideHttpClientTesting,
+} from '@angular/common/http/testing';
 import { TestBed, waitForAsync } from '@angular/core/testing';
 import { mockProvider } from '../../test/auto-mock';
 import { AuthStateService } from '../auth-state/auth-state.service';
@@ -233,7 +236,7 @@ describe(`AuthHttpInterceptor`, () => {
       ]);
       spyOn(
         closestMatchingRouteService,
-        'getConfigIdForClosestMatchingRoute',
+        'getConfigIdForClosestMatchingRoute'
       ).and.returnValue({
         matchingRoute: null,
         matchingConfig: null,

projects/angular-auth-oidc-client/src/lib/interceptor/auth.interceptor.ts

@@ -1,4 +1,11 @@
-import { HttpEvent, HttpHandler, HttpHandlerFn, HttpInterceptor, HttpInterceptorFn, HttpRequest } from '@angular/common/http';
+import {
+  HttpEvent,
+  HttpHandler,
+  HttpHandlerFn,
+  HttpInterceptor,
+  HttpInterceptorFn,
+  HttpRequest,
+} from '@angular/common/http';
 import { Injectable, inject } from '@angular/core';
 import { Observable } from 'rxjs';
 import { AuthStateService } from '../auth-state/auth-state.service';

projects/angular-auth-oidc-client/src/lib/logging/abstract-logger.service.ts

@@ -5,10 +5,9 @@ import { Injectable } from '@angular/core';
  */
 @Injectable({ providedIn: 'root' })
 export abstract class AbstractLoggerService {
-  abstract logError(message: string|object, ...args: any[]): void;
+  abstract logError(message: string | object, ...args: any[]): void;
 
-  abstract logWarning(message: string|object, ...args: any[]): void;
+  abstract logWarning(message: string | object, ...args: any[]): void;
 
-  abstract logDebug(message: string|object, ...args: any[]): void;
+  abstract logDebug(message: string | object, ...args: any[]): void;
 }
-

projects/angular-auth-oidc-client/src/lib/logging/console-logger.service.ts

@@ -3,15 +3,15 @@ import { AbstractLoggerService } from './abstract-logger.service';
 
 @Injectable({ providedIn: 'root' })
 export class ConsoleLoggerService implements AbstractLoggerService {
-  logError(message: string|object, ...args: any[]): void {
+  logError(message: string | object, ...args: any[]): void {
     console.error(message, ...args);
   }
 
-  logWarning(message: string|object, ...args: any[]): void {
+  logWarning(message: string | object, ...args: any[]): void {
     console.warn(message, ...args);
   }
 
-  logDebug(message: string|object, ...args: any[]): void {
+  logDebug(message: string | object, ...args: any[]): void {
     console.debug(message, ...args);
   }
 }