oauth3.js/well-known/oauth3/index.html

<!DOCTYPE html>
<html>
  <head>
    <style>
      body {
        background-color: #ffcccc;
      }
    </style>
  </head>
  <body>
  OAuth3 RPC

  <script src="../../assets/oauth3.org/oauth3.core.js"></script>
  <script>
    ;(function () {
    'use strict';

    // Taken from oauth3.core.js

    // TODO what about search within hash?
    var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/]";
    var params = OAUTH3.query.parse(window.location.hash || window.location.search);
    if (params.debug) {
      console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
    }

    console.log(prefix, 'hash||search:');
    console.log(window.location.hash || window.location.search);

    console.log(prefix, 'params:');
    console.log(params);

    var fileWhiteList = [
      "directives.json"
    , "scopes.json" ];

    //Serving arbitrary files/paths is probably not a good idea.
    //Let's make sure this is something we want to serve.
    if(fileWhiteList.indexOf(params.discoverFile) === -1) {
      //Nope!
      var redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({
        state: params.state
      , error: "No access to requested file: " + params.discoverFile
      , error_code: "E_ACCESS_DENIED"
      , debug: params.debug || undefined
      });

      console.error(prefix, "Requested file is not listed as a discoverable file:"
      , fileWhiteList);
      console.log("Redirecting with error: ", redirect)

      if (!params.debug) {
        window.location = redirect;
      } else {
        // yes, we're violating the security lint with purpose
        document.body.innerHTML += window.location.host + window.location.pathname
          + '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
          + ' to let you look at logs or whatever it is that you intended to do.'
          + '<br/><br/>The requested file was not a discoverable file (see console for details).'
          + '<br/><br/>Continue with error redirect: <a href="' + redirect + '">' + redirect + '</' + 'a>';
      }
      return;
    }

    OAUTH3.request({ url: params.discoverfile }).then(function (resp) {
      var urlsafe64 = OAUTH3._base64.encodeUrlSafe(JSON.stringify(resp.data, null, 0));
      var redirect;
      var returnParams;

      console.log(prefix, 'file contents');
      console.log(resp);

      console.log(prefix, 'base64');
      console.log(urlsafe64);

      // TODO try postMessage back to redirect_uri domain right here
      // window.postMessage();

      // TODO make sure it's https NOT http
      // NOTE: this can be only up to 2,083 characters
      console.log(prefix, 'params.redirect_uri:', params.redirect_uri);
      redirect = params.redirect_uri + '?' + OAUTH3.query.stringify({
        state: params.state
      , directives: urlsafe64  //kept for now, probably should remove this.
      , result: urlsafe64
      , debug: params.debug || undefined
      })

      console.log(prefix, 'redirect');
      console.log(redirect);
      if (!params.debug) {
        window.location = redirect;
      } else {
        // yes, we're violating the security lint with purpose
        document.body.innerHTML += window.location.host + window.location.pathname
          + '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
          + ' to let you look at logs or whatever it is that you intended to do.'
          + '<br/><br/>Continue with redirect: <a href="' + redirect + '">' + redirect + '</' + 'a>';
      }
    });

    }());
  </script>
  </body>
</html>