From feeeef6cf917a725a00e3a1299595fe7ccd6425d Mon Sep 17 00:00:00 2001
From: Convly <jean-sebastien.herbaux@epitech.eu>
Date: Mon, 8 Apr 2024 14:48:42 +0200
Subject: [PATCH] fix: make the default callback validation stricter

---
 packages/plugins/users-permissions/server/config.js | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/packages/plugins/users-permissions/server/config.js b/packages/plugins/users-permissions/server/config.js
index 61b122da10..ee60162efb 100644
--- a/packages/plugins/users-permissions/server/config.js
+++ b/packages/plugins/users-permissions/server/config.js
@@ -19,14 +19,12 @@ module.exports = {
       },
     },
     callback: {
-      validate(url, provider) {
-        const uCallback = new URL(url);
-        const uRedirect = new URL(provider.redirectUri);
+      validate(callbackURL, provider) {
+        const defaultCallbackURL = provider.callback;
 
-        // The default validation checks that the provided callback's origin matches the provider redirectUri origin
-        if (uCallback.origin !== uRedirect.origin) {
+        if (callbackURL !== defaultCallbackURL) {
           throw new Error(
-            `Forbidden callback provided: origins don't match (${uCallback.origin} !== ${uRedirect.origin})`
+            `Forbidden callback provided: ${callbackURL} !== ${defaultCallbackURL})`
           );
         }
       },