From 7de254d597834943021906efd72d072f78900720 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 10 Feb 2017 23:45:34 -0500 Subject: [PATCH] don't redirect attack your client, duh! --- oauth3.browser.js | 18 ++++++++++++++++-- oauth3.core.js | 4 +++- oauth3.js | 5 ++++- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/oauth3.browser.js b/oauth3.browser.js index b32c783..dfe1d84 100644 --- a/oauth3.browser.js +++ b/oauth3.browser.js @@ -23,6 +23,19 @@ opts = opts || {}; opts.debug = true; providerUri = OAUTH3_CORE.normalizeUrl(providerUri); + if (window.location.hostname.match(providerUri)) { + console.warn("It looks like you're a provider checking for your own directive," + + " so we we're just gonna use OAUTH3.request({ method: 'GET', url: '.well-known/oauth3/directive.json' })"); + return OAUTH3.request({ + method: 'GET' + , url: OAUTH3.core.normalizeUrl(providerUri) + '/.well-known/oauth3/directives.json' + }); + } + + if (!window.location.hostname.match(opts.client_id || opts.client_uri)) { + console.warn("It looks like your client_id doesn't match your current window... this probably won't end well"); + console.warn(opts.client_id || opts.client_uri, window.location.hostname); + } var discObj = OAUTH3_CORE.urls.discover(providerUri, { client_id: (opts.client_id || opts.client_uri || getDefaultAppUrl()), debug: opts.debug }); // TODO ability to reuse iframe instead of closing @@ -146,7 +159,7 @@ err.code = "E_TIMEOUT"; reject(err); cleanup(); - }, opts.timeout || 15000); + }, opts.timeout || 15 * 1000); // TODO hidden / non-hidden (via directive even) var framesrc = '