67 lines
2.2 KiB
JavaScript
67 lines
2.2 KiB
JavaScript
(function () {
|
|
"use strict";
|
|
|
|
var loc = window.location;
|
|
var loginWinObj = window.OAUTH3_CORE.queryparse(loc.hash || loc.search);
|
|
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";
|
|
|
|
if (loginWinObj.debug) {
|
|
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
|
|
}
|
|
// '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
|
|
// TODO finalize name of '--oauth3-callback-', this will be a defacto standard
|
|
// TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
|
|
var callbackName = '--oauth3-callback-' + loginWinObj.state;
|
|
|
|
console.log(prefix, loc.href);
|
|
console.log(prefix, 'Parsed URL Obj:', loginWinObj);
|
|
console.log(prefix, 'callbackName:', callbackName);
|
|
|
|
window.oauth3complete = function () {
|
|
// The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
|
|
// see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
|
|
// TODO Should we still create an abstraction for older versions?
|
|
if (window.parent) {
|
|
// iframe
|
|
try {
|
|
window.parent[callbackName](loginWinObj);
|
|
return;
|
|
} catch(e) {
|
|
console.warn(e);
|
|
}
|
|
}
|
|
|
|
if (window.opener) {
|
|
try {
|
|
window.opener[callbackName](loginWinObj);
|
|
return;
|
|
} catch(e) {
|
|
console.warn(e);
|
|
}
|
|
}
|
|
|
|
console.error("neither window.parent nor window.opener existed to complete callback");
|
|
|
|
/*
|
|
// the caller should close (or signal to close) the window
|
|
try {
|
|
window.close();
|
|
} catch (err) {
|
|
console.log('Error: ', err);
|
|
}
|
|
*/
|
|
};
|
|
|
|
if (!loginWinObj.debug) {
|
|
window.oauth3complete();
|
|
}
|
|
else {
|
|
document.body.innerHTML = window.location.hostname + window.location.pathname
|
|
+ '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
|
|
+ ' to let you look at logs or whatever it is that you intended to do.'
|
|
+ '<br/><br/>Continue with callback: <a href="javascript:window.oauth3complete()">javascript:window.oauth3complete()</' + 'a>';
|
|
return;
|
|
}
|
|
|
|
}());
|