yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-13 00:29:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: make the default callback validation stricter

Browse Source
This commit is contained in:
Convly 2024-04-08 14:48:42 +02:00
parent e762295cbe
commit feeeef6cf9
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/plugins/users-permissions/server/config.js
View File

@ -19,14 +19,12 @@ module.exports = {
}, },
}, },
callback: { callback: {
validate(url, provider) { validate(callbackURL, provider) {
const uCallback = new URL(url); const defaultCallbackURL = provider.callback;
const uRedirect = new URL(provider.redirectUri);
// The default validation checks that the provided callback's origin matches the provider redirectUri origin if (callbackURL !== defaultCallbackURL) {
if (uCallback.origin !== uRedirect.origin) {
throw new Error( throw new Error(
`Forbidden callback provided: origins don't match (${uCallback.origin} !== ${uRedirect.origin})` `Forbidden callback provided: ${callbackURL} !== ${defaultCallbackURL})`
); );
} }
}, },