Check OAuth2 redirect URL for matching callback URL and authorization…

… code in query parameters In an Authorization code flow, there may be multiple intermediate redirects before reaching the final one which matches the callback URL and has a code in the query params. We should wait until we see a redirect URI that matches both the conditions. This fixes the issue where, when a redirect contains `code` as a query param but is not the final one (i.e., is not to the callback URL) an error is thrown saying the callback URL is invalid. Fixes #2147
usebruno · Apr 21, 2024 · 6cfcfb3 · 6cfcfb3
1 parent 59ffb01
commit 6cfcfb3
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/packages/bruno-electron/src/ipc/network/authorize-user-in-window.js b/packages/bruno-electron/src/ipc/network/authorize-user-in-window.js
@@ -30,12 +30,9 @@ const authorizeUserInWindow = ({ authorizeUrl, callbackUrl, session }) => {
     });
 
     function onWindowRedirect(url) {
-      // check if the url contains an authorization code
-      if (new URL(url).searchParams.has('code')) {
+      // check if the redirect is to the callback URL and if it contains an authorization code
+      if (url && url.includes(callbackUrl) && new URL(url).searchParams.has('code')) {
         finalUrl = url;
-        if (!url || !finalUrl.includes(callbackUrl)) {
-          reject(new Error('Invalid Callback Url'));
-        }
         window.close();
       }
       if (url.match(/(error=).*/) || url.match(/(error_description=).*/) || url.match(/(error_uri=).*/)) {