oauth3.js/well-known/oauth3/callback.html

89 lines
3.3 KiB
HTML

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Redirecting...</title>
<style>
body {
background-color: #ffcccc;
}
</style>
</head>
<body>
Redirecting...
<!-- TODO permanently cache with appcache (or service worker?) -->
<!-- TODO slim this all down to a single file -->
<script src="/assets/org.oauth3/oauth3.core.js"></script>
<script>
;(function () {
'use strict';
var loc = window.location;
var loginWinObj = window.OAUTH3.query.parse(loc.hash || loc.search);
var prefix = "(" + window.location.hostname + ") [.well-known/oauth3/callback.html]";
if (loginWinObj.debug) {
console.warn(prefix, "DEBUG MODE ENABLED. Automatic redirects disabled.");
}
// '--oauth3-callback-' prefix exist for security so that an attacker can't social engineer execution an arbitrary function
// TODO finalize name of '--oauth3-callback-', this will be a defacto standard
// TODO maybe call it 'self-xss-' or 'hack-my-account-' to discourage people from doing dumb things?
var callbackName = '--oauth3-callback-' + loginWinObj.state;
console.log(prefix, loc.href);
console.log(prefix, 'Parsed URL Obj:', loginWinObj);
console.log(prefix, 'callbackName:', callbackName);
window.oauth3complete = function () {
// The hacks that used to be necessary for this on iOS should no longer be necessary in iOS 9+
// see https://bugs.chromium.org/p/chromium/issues/detail?id=136610 and https://crbug.com/423444
// TODO Should we still create an abstraction for older versions?
if (window.parent) {
// iframe
try {
window.parent[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
if (window.opener) {
try {
window.opener[callbackName](loginWinObj);
return;
} catch(e) {
console.warn(e);
}
}
console.error("neither window.parent nor window.opener existed to complete callback");
/*
// the caller should close (or signal to close) the window
try {
window.close();
} catch (err) {
console.log('Error: ', err);
}
*/
};
if (!loginWinObj.debug) {
window.oauth3complete();
}
else {
document.body.innerHTML = window.location.hostname + window.location.pathname
+ '<br/><br/>You\'ve passed the \'debug\' parameter so we\'re pausing'
+ ' to let you look at logs or whatever it is that you intended to do.'
+ '<br/><br/>Continue with callback: <a href="javascript:window.oauth3complete()">javascript:window.oauth3complete()</' + 'a>';
return;
}
}());
</script>
</body>
</html>