don't redirect attack your client, duh!

2017-02-10 23:45:34 -05:00 · 2017-02-10 23:45:34 -05:00 · 7de254d597
parent 23d9268627
commit 7de254d597
3 changed files with 23 additions and 4 deletions
--- a/oauth3.browser.js
+++ b/oauth3.browser.js
@ -23,6 +23,19 @@
      opts = opts || {};
      opts.debug = true;
      providerUri = OAUTH3_CORE.normalizeUrl(providerUri);
+      if (window.location.hostname.match(providerUri)) {
+        console.warn("It looks like you're a provider checking for your own directive,"
+          + " so we we're just gonna use OAUTH3.request({ method: 'GET', url: '.well-known/oauth3/directive.json' })");
+        return OAUTH3.request({
+          method: 'GET'
+        , url: OAUTH3.core.normalizeUrl(providerUri) + '/.well-known/oauth3/directives.json'
+        });
+      }
+
+      if (!window.location.hostname.match(opts.client_id || opts.client_uri)) {
+        console.warn("It looks like your client_id doesn't match your current window... this probably won't end well");
+        console.warn(opts.client_id || opts.client_uri, window.location.hostname);
+      }
      var discObj = OAUTH3_CORE.urls.discover(providerUri, { client_id: (opts.client_id || opts.client_uri || getDefaultAppUrl()), debug: opts.debug });

      // TODO ability to reuse iframe instead of closing
@ -146,7 +159,7 @@
          err.code = "E_TIMEOUT";
          reject(err);
          cleanup();
-        }, opts.timeout || 15000);
+        }, opts.timeout || 15 * 1000);

        // TODO hidden / non-hidden (via directive even)
        var framesrc = '<iframe class="js-oauth3-iframe" src="' + url + '" ';
@ -260,7 +273,7 @@
          // Oauth3.init({ logout: function () {} });
          //return Oauth3.logout();

-          var redirectUri = opts.redirectUri
+          var redirectUri = opts.redirect_uri || opts.redirectUri
            || (window.location.protocol + '//' + (window.location.host + window.location.pathname) + 'oauth3.html')
            ;
          var params = {
@ -272,6 +285,7 @@
          , logins: true
          , redirect_uri: redirectUri
          , state: prequest.state
+          , debug: opts.debug
          };

          if (prequest.url === params.redirect_uri) {
--- a/oauth3.core.js
+++ b/oauth3.core.js
@ -213,11 +213,13 @@
    if (!opts.client_id) {
      throw new Error("cannot discover without options.client_id");
    }
+    var clientId = core.normalizeUrl(opts.client_id || opts.client_uri);
+    providerUri = core.normalizeUrl(providerUri);

    var params = {
      action: 'directives'
    , state: core.utils.randomState()
-    , redirect_uri: opts.client_id + (opts.client_callback_path || '/.well-known/oauth3/callback.html')
+    , redirect_uri: clientId + (opts.client_callback_path || '/.well-known/oauth3/callback.html')
    , response_type: 'rpc'
    , _method: 'GET'
    , _pathname: '.well-known/oauth3/directives.json'
--- a/oauth3.js
+++ b/oauth3.js
@ -239,7 +239,10 @@
    });
  };
  oauth3.requests.grants = function (providerUri, opts) {
-    return oauth3.discover(providerUri, opts).then(function (directive) {
+    return oauth3.discover(providerUri, {
+      client_id: providerUri
+    , debug: opts.debug
+    }).then(function (directive) {
      console.log('core.urls.grants(directive, opts)', core.urls.grants(directive, opts));
      return oauth3.request(core.urls.grants(directive, opts)).then(function (grantsResult) {
        if ('POST' === opts.method) {