sendnrw/pocket-id
2
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-03-28 18:26:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: disable callback URLs with protocols "javascript" and "data"

Browse Source
This commit is contained in:
ItalyPaleAle
2026-03-26 20:18:13 -07:00
parent a06d9d21e4
commit 76da41f126
6 changed files with 103 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
frontend/src/routes/authorize/+page.svelte
View File

@@ -71,19 +71,16 @@
reauthToken = await webauthnService.reauthenticate(authResponse);
}
await oidService
.authorize(
client!.id,
scope,
callbackURL,
nonce,
codeChallenge,
codeChallengeMethod,
reauthToken
)
.then(async ({ code, callbackURL, issuer }) => {
onSuccess(code, callbackURL, issuer);
});
const authResult = await oidService.authorize(
client!.id,
scope,
callbackURL,
nonce,
codeChallenge,
codeChallengeMethod,
reauthToken
);
onSuccess(authResult.code, authResult.callbackURL, authResult.issuer);
} catch (e) {
errorMessage = getWebauthnErrorMessage(e);
isLoading = false;
@@ -91,13 +88,17 @@
}
function onSuccess(code: string, callbackURL: string, issuer: string) {
const redirectURL = new URL(callbackURL);
if (redirectURL.protocol == 'javascript:' || redirectURL.protocol == 'data:') {
throw new Error('Invalid redirect URL protocol');
}
redirectURL.searchParams.append('code', code);
redirectURL.searchParams.append('state', authorizeState);
redirectURL.searchParams.append('iss', issuer);
success = true;
setTimeout(() => {
const redirectURL = new URL(callbackURL);
redirectURL.searchParams.append('code', code);
redirectURL.searchParams.append('state', authorizeState);
redirectURL.searchParams.append('iss', issuer);
window.location.href = redirectURL.toString();
}, 1000);
}