94 lines
3.5 KiB
HTML
94 lines
3.5 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<title>Redirecting...</title>
|
|
<style>
|
|
body {
|
|
background-color: #ffcccc;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
Redirecting...
|
|
|
|
<!-- TODO permanently cache with appcache (or service worker?) -->
|
|
<!-- TODO slim this all down to a single file -->
|
|
<script src="../../assets/oauth3.org/oauth3.core.js"></script>
|
|
<script>
|
|
;(function () {
|
|
'use strict';
|
|
|
|
var loc = window.location;
|
|
var loginWinObj = window.OAUTH3.query.parse(loc.hash || loc.search);
|
|
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";
|
|
|
|
if (loginWinObj.debug) {
|
|
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
|
|
}
|
|
if (!loginWinObj.state) {
|
|
console.error(loginWinObj);
|
|
window.alert(prefix + ": missing state parameter");
|
|
}
|
|
|
|
// '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
|
|
// TODO finalize name of '--oauth3-callback-', this will be a defacto standard
|
|
// TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
|
|
var callbackName = '--oauth3-callback-' + loginWinObj.state;
|
|
|
|
console.log(prefix, loc.href);
|
|
console.log(prefix, 'Parsed URL Obj:', loginWinObj);
|
|
console.log(prefix, 'callbackName:', callbackName);
|
|
|
|
window.oauth3complete = function () {
|
|
// The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
|
|
// see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
|
|
// TODO Should we still create an abstraction for older versions?
|
|
if (window.parent) {
|
|
// iframe
|
|
try {
|
|
window.parent[callbackName](loginWinObj);
|
|
return;
|
|
} catch(e) {
|
|
console.warn(e);
|
|
}
|
|
}
|
|
|
|
if (window.opener) {
|
|
try {
|
|
window.opener[callbackName](loginWinObj);
|
|
return;
|
|
} catch(e) {
|
|
console.warn(e);
|
|
}
|
|
}
|
|
|
|
console.error("neither window.parent nor window.opener existed to complete callback");
|
|
|
|
/*
|
|
// the caller should close (or signal to close) the window
|
|
try {
|
|
window.close();
|
|
} catch (err) {
|
|
console.log('Error: ', err);
|
|
}
|
|
*/
|
|
};
|
|
|
|
if (!loginWinObj.debug) {
|
|
window.oauth3complete();
|
|
}
|
|
else {
|
|
document.body.innerHTML = window.location.hostname + window.location.pathname
|
|
+ '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
|
|
+ ' to let you look at logs or whatever it is that you intended to do.'
|
|
+ '<br/><br/>Continue with callback: <a href="javascript:window.oauth3complete()">javascript:window.oauth3complete()</' + 'a>';
|
|
return;
|
|
}
|
|
|
|
}());
|
|
</script>
|
|
</body>
|
|
</html>
|