-
-
Notifications
You must be signed in to change notification settings - Fork 961
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Check OAuth2 redirect URL for matching callback URL and authorization code in query parameters #2148
Open
dakshin-k
wants to merge
3
commits into
usebruno:main
Choose a base branch
from
dakshin-k:fix-callback-url-check
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
fix: Check OAuth2 redirect URL for matching callback URL and authorization code in query parameters #2148
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
packages/bruno-electron/tests/network/authorize-user.spec.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
const { matchesCallbackUrl } = require('../../src/ipc/network/authorize-user-in-window'); | ||
|
||
describe('matchesCallbackUrl', () => { | ||
const testCases = [ | ||
{ url: null, expected: false }, | ||
{ url: '', expected: false }, | ||
{ url: 'https://random-url/endpoint', expected: false }, | ||
{ url: 'https://random-url/endpoint?code=abcd', expected: false }, | ||
{ url: 'https://callback.url/endpoint?code=abcd', expected: true }, | ||
{ url: 'https://callback.url/endpoint/?code=abcd', expected: true } | ||
]; | ||
|
||
it.each(testCases)('$url - should be $expected', ({ url, expected }) => { | ||
let callBackUrl = 'https://callback.url/endpoint'; | ||
|
||
let actual = matchesCallbackUrl(url, callBackUrl); | ||
|
||
expect(actual).toBe(expected); | ||
}); | ||
}); |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope: my callback url is pointing to the same server that is auth url. It will pass this check and fail on missing 'code' even before the first redirect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh man, there are lots of edge cases here 😅
Comparing the
href
as you suggested earlier will not work as the href includes any query params in the URL, i.e. while it solves the trailing/
problem it breaks for the below case:This is the reason I compared against hostname instead of href. I currently don't have a better idea to implement this, will think about it and come back later.
Ideas are welcome if I'm missing something 😇
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function could be something similar to this @dakshin-k
Edit:
Not recommended, seems like too much of an overkill
The below solution should be enough
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't this suffice?
testUrl.href.startswith(callbackUrl.href)
The spec mandates the code param is appended the the query component, so it should be at the end. Also luckily the fragment component (the url part after #) is not allowed, so it does not have to be handled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, that worked! I have pushed the change, would someone mind testing it out once?
I faced a weird problem testing locally, not sure if I introduced a bug or found an existing one 😅
I'm able to generate auth tokens successfully now, but I can't make any requests - When I click the send request button, it just shows me the response from my OAuth server with the access token, it doesn't actually make a request using that token or display that response:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't mind that. That's actually #1999
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah okay, thanks!
So I guess that's it on this PR? Let me know if there's anything further to do!