yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-03 11:25:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: make the default callback validation stricter

Browse Source
This commit is contained in:
Convly 2024-04-08 14:48:42 +02:00
parent e762295cbe
commit feeeef6cf9
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/plugins/users-permissions/server/config.js
View File

@ -19,14 +19,12 @@ module.exports = {
},
},
callback: {
validate(url, provider) {
const uCallback = new URL(url);
const uRedirect = new URL(provider.redirectUri);
validate(callbackURL, provider) {
const defaultCallbackURL = provider.callback;
// The default validation checks that the provided callback's origin matches the provider redirectUri origin
if (uCallback.origin !== uRedirect.origin) {
if (callbackURL !== defaultCallbackURL) {
throw new Error(
`Forbidden callback provided: origins don't match (${uCallback.origin} !== ${uRedirect.origin})`
`Forbidden callback provided: ${callbackURL} !== ${defaultCallbackURL})`
);
}
},