Merge pull request #404 from cloudflare/sven/fix-auth-relative-url

handle relative URL on first-login
sven/debug6
Sven Sauleau 2023-03-27 15:58:45 +02:00 zatwierdzone przez GitHub
commit 42d232923d
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
2 zmienionych plików z 30 dodań i 1 usunięć

Wyświetl plik

@ -174,6 +174,31 @@ describe('Mastodon APIs', () => {
assert((await getSigningKey(userKEK, db, actor as Actor)) instanceof CryptoKey)
})
test('first login redirect relative URLs', async () => {
const db = await makeDB()
const params = new URLSearchParams({
redirect_uri: '/a',
})
const formData = new FormData()
formData.set('username', 'username')
formData.set('name', 'name')
const req = new Request('https://example.com/first-login?' + params, {
method: 'POST',
body: formData,
headers: {
cookie: `CF_Authorization=${TEST_JWT}`,
},
})
const res = await first_login.handlePostRequest(req, db, userKEK, accessDomain, accessAud)
assert.equal(res.status, 302)
const location = res.headers.get('location')
assert.equal(location, 'https://example.com/a')
})
test('token error on unknown client', async () => {
const db = await makeDB()
const body = new URLSearchParams({ code: 'some-code' })

Wyświetl plik

@ -55,6 +55,10 @@ export async function handlePostRequest(
return new Response('', { status: 400 })
}
const redirect_uri = decodeURIComponent(url.searchParams.get('redirect_uri') || '')
let redirect_uri = decodeURIComponent(url.searchParams.get('redirect_uri') || '')
if (redirect_uri.startsWith('/')) {
// URL is a relative URL, prepend the domain to it.
redirect_uri = 'https://' + url.hostname + redirect_uri
}
return Response.redirect(redirect_uri, 302)
}