From 7de254d597834943021906efd72d072f78900720 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Fri, 10 Feb 2017 23:45:34 -0500
Subject: [PATCH] don't redirect attack your client, duh!

---
 oauth3.browser.js | 18 ++++++++++++++++--
 oauth3.core.js    |  4 +++-
 oauth3.js         |  5 ++++-
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/oauth3.browser.js b/oauth3.browser.js
index b32c783..dfe1d84 100644
--- a/oauth3.browser.js
+++ b/oauth3.browser.js
@@ -23,6 +23,19 @@
       opts = opts || {};
       opts.debug = true;
       providerUri = OAUTH3_CORE.normalizeUrl(providerUri);
+      if (window.location.hostname.match(providerUri)) {
+        console.warn("It looks like you're a provider checking for your own directive,"
+          + " so we we're just gonna use OAUTH3.request({ method: 'GET', url: '.well-known/oauth3/directive.json' })");
+        return OAUTH3.request({
+          method: 'GET'
+        , url: OAUTH3.core.normalizeUrl(providerUri) + '/.well-known/oauth3/directives.json'
+        });
+      }
+
+      if (!window.location.hostname.match(opts.client_id || opts.client_uri)) {
+        console.warn("It looks like your client_id doesn't match your current window... this probably won't end well");
+        console.warn(opts.client_id || opts.client_uri, window.location.hostname);
+      }
       var discObj = OAUTH3_CORE.urls.discover(providerUri, { client_id: (opts.client_id || opts.client_uri || getDefaultAppUrl()), debug: opts.debug });
 
       // TODO ability to reuse iframe instead of closing
@@ -146,7 +159,7 @@
           err.code = "E_TIMEOUT";
           reject(err);
           cleanup();
-        }, opts.timeout || 15000);
+        }, opts.timeout || 15 * 1000);
 
         // TODO hidden / non-hidden (via directive even)
         var framesrc = '<iframe class="js-oauth3-iframe" src="' + url + '" ';
@@ -260,7 +273,7 @@
           // Oauth3.init({ logout: function () {} });
           //return Oauth3.logout();
 
-          var redirectUri = opts.redirectUri
+          var redirectUri = opts.redirect_uri || opts.redirectUri
             || (window.location.protocol + '//' + (window.location.host + window.location.pathname) + 'oauth3.html')
             ;
           var params = {
@@ -272,6 +285,7 @@
           , logins: true
           , redirect_uri: redirectUri
           , state: prequest.state
+          , debug: opts.debug
           };
 
           if (prequest.url === params.redirect_uri) {
diff --git a/oauth3.core.js b/oauth3.core.js
index a24059f..0c2b426 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -213,11 +213,13 @@
     if (!opts.client_id) {
       throw new Error("cannot discover without options.client_id");
     }
+    var clientId = core.normalizeUrl(opts.client_id || opts.client_uri);
+    providerUri = core.normalizeUrl(providerUri);
 
     var params = {
       action: 'directives'
     , state: core.utils.randomState()
-    , redirect_uri: opts.client_id + (opts.client_callback_path || '/.well-known/oauth3/callback.html')
+    , redirect_uri: clientId + (opts.client_callback_path || '/.well-known/oauth3/callback.html')
     , response_type: 'rpc'
     , _method: 'GET'
     , _pathname: '.well-known/oauth3/directives.json'
diff --git a/oauth3.js b/oauth3.js
index ae48c42..dde6dfa 100644
--- a/oauth3.js
+++ b/oauth3.js
@@ -239,7 +239,10 @@
     });
   };
   oauth3.requests.grants = function (providerUri, opts) {
-    return oauth3.discover(providerUri, opts).then(function (directive) {
+    return oauth3.discover(providerUri, {
+      client_id: providerUri
+    , debug: opts.debug
+    }).then(function (directive) {
       console.log('core.urls.grants(directive, opts)', core.urls.grants(directive, opts));
       return oauth3.request(core.urls.grants(directive, opts)).then(function (grantsResult) {
         if ('POST' === opts.method) {