Add whitelisted 'postmessage' to valid redirect URIs (#249)

closes: #92
2019-12-02 10:11:13 -07:00 · 2019-12-02 10:11:13 -07:00 · d80900156a
parent 4928d44072
commit d80900156a
3 changed files with 28 additions and 5 deletions
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -7,9 +7,7 @@ AllCops:
    - "Rakefile"
    - "rakelib/**/*"
 Metrics/ClassLength:
-  Max: 110
-  Exclude:
-    - "lib/googleauth/credentials.rb"
+  Max: 200
 Metrics/ModuleLength:
  Max: 110
 Metrics/BlockLength:
--- a/lib/googleauth/user_authorizer.rb
+++ b/lib/googleauth/user_authorizer.rb
@ -271,10 +271,15 @@ module Google
      # @return [String]
      #  Redirect URI
      def redirect_uri_for base_url
-        return @callback_uri unless URI(@callback_uri).scheme.nil?
+        return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
        raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
        URI.join(base_url, @callback_uri).to_s
      end
+
+      # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
+      def uri_is_postmessage? uri
+        uri.to_s.casecmp("postmessage").zero?
+      end
    end
  end
 end
--- a/spec/googleauth/user_authorizer_spec.rb
+++ b/spec/googleauth/user_authorizer_spec.rb
@ -80,7 +80,7 @@ describe Google::Auth::UserAuthorizer do
      expect(URI(uri).query).to_not match(/client_secret/)
    end

-    it "should include the callback uri" do
+    it "should include the redirect_uri" do
      expect(URI(uri).query).to match(
        %r{redirect_uri=https://www.example.com/oauth/callback}
      )
@ -91,6 +91,25 @@ describe Google::Auth::UserAuthorizer do
    end
  end

+  context "when generating authorization URLs and callback_uri is 'postmessage'" do
+    let(:callback_uri) { "postmessage" }
+    let :authorizer do
+      Google::Auth::UserAuthorizer.new(client_id,
+                                       scope,
+                                       token_store,
+                                       callback_uri)
+    end
+    let :uri do
+      authorizer.get_authorization_url login_hint: "user1", state: "mystate"
+    end
+
+    it "should include the redirect_uri 'postmessage'" do
+      expect(URI(uri).query).to match(
+        %r{redirect_uri=postmessage}
+      )
+    end
+  end
+
  context "when generating authorization URLs with user ID & state" do
    let :uri do
      authorizer.get_authorization_url login_hint: "user1", state: "mystate"
@ -253,6 +272,7 @@ describe Google::Auth::UserAuthorizer do
        user_id: "user1", code: "code"
      )
      expect(credentials.access_token).to eq "1/abc123"
+      expect(credentials.redirect_uri.to_s).to eq "https://www.example.com/oauth/callback"
    end

    it "should not store credentials when get only requested" do