From d3caa0d1474c3089f71af40facee7eb2c2f30957 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Sun, 2 Jun 2024 00:41:01 +0200 Subject: [PATCH] Added changes from @nicolashenry out of \#9248 --- dev-helpers/oauth2-redirect.html | 53 +++++++------------------------- src/core/oauth2-authorize.js | 48 +++++++++++++++++++++++++++-- src/core/plugins/auth/actions.js | 17 ++++++++++ 3 files changed, 73 insertions(+), 45 deletions(-) diff --git a/dev-helpers/oauth2-redirect.html b/dev-helpers/oauth2-redirect.html index 87a2eed8f5e..6bd294091d3 100644 --- a/dev-helpers/oauth2-redirect.html +++ b/dev-helpers/oauth2-redirect.html @@ -1,15 +1,13 @@ - - + + \ No newline at end of file diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js index 6ec41c244d5..96e212b66a2 100644 --- a/src/core/oauth2-authorize.js +++ b/src/core/oauth2-authorize.js @@ -122,11 +122,53 @@ export default function authorize ( { auth, authActions, errActions, configs, au callback = authActions.authorizeAccessCodeWithFormParams } - authActions.authPopup(url, { + const oauth2 = { auth: auth, state: state, redirectUrl: redirectUrl, callback: callback, - errCb: errActions.newAuthErr - }) + errCb: errActions.newAuthErr, + handleAuth: (qp) => { + const isValid = qp.state === oauth2.state + + if (( + oauth2.auth.schema.get("flow") === "accessCode" || + oauth2.auth.schema.get("flow") === "authorizationCode" || + oauth2.auth.schema.get("flow") === "authorization_code" + ) && !oauth2.auth.code) { + if (!isValid) { + oauth2.errCb({ + authId: oauth2.auth.name, + source: "auth", + level: "warning", + message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server" + }) + } + + if (qp.code) { + delete oauth2.state + oauth2.auth.code = qp.code + oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl}) + } else { + let oauthErrorMsg + if (qp.error) { + oauthErrorMsg = "["+qp.error+"]: " + + (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") + + (qp.error_uri ? "More info: "+qp.error_uri : "") + } + + oauth2.errCb({ + authId: oauth2.auth.name, + source: "auth", + level: "error", + message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server" + }) + } + } else { + oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl}) + } + } + } + + authActions.authPopup(url, oauth2) } diff --git a/src/core/plugins/auth/actions.js b/src/core/plugins/auth/actions.js index 799e9fc0638..cffcce9f3a3 100644 --- a/src/core/plugins/auth/actions.js +++ b/src/core/plugins/auth/actions.js @@ -51,6 +51,10 @@ export const preAuthorizeImplicit = (payload) => ( { authActions, errActions } ) // remove oauth2 property from window after redirect from authentication delete win.swaggerUIRedirectOauth2 + if (win.oauth2Channel) { + win.oauth2Channel.close() + delete win.oauth2Channel + } if ( flow !== "accessCode" && !isValid ) { errActions.newAuthErr( { @@ -284,5 +288,18 @@ export const persistAuthorizationIfNeeded = () => ( { authSelectors, getConfigs export const authPopup = (url, swaggerUIRedirectOauth2) => ( ) => { win.swaggerUIRedirectOauth2 = swaggerUIRedirectOauth2 + if (win.oauth2Channel) { + win.oauth2Channel.close() + } + const oauth2Channel = new BroadcastChannel("oauth2_channel") + oauth2Channel.addEventListener("message", event => { + const data = event.data + const state = data ? data.state : undefined + if (state === swaggerUIRedirectOauth2.state) { + swaggerUIRedirectOauth2.handleAuth(data) + } + }) + win.oauth2Channel = oauth2Channel + win.open(url) }