From d80900156a02f5d79666fe9a11fb610a1443f34c Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Mon, 2 Dec 2019 10:11:13 -0700 Subject: [PATCH] Add whitelisted 'postmessage' to valid redirect URIs (#249) closes: #92 --- .rubocop.yml | 4 +--- lib/googleauth/user_authorizer.rb | 7 ++++++- spec/googleauth/user_authorizer_spec.rb | 22 +++++++++++++++++++++- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index d9fb038..67285fc 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -7,9 +7,7 @@ AllCops: - "Rakefile" - "rakelib/**/*" Metrics/ClassLength: - Max: 110 - Exclude: - - "lib/googleauth/credentials.rb" + Max: 200 Metrics/ModuleLength: Max: 110 Metrics/BlockLength: diff --git a/lib/googleauth/user_authorizer.rb b/lib/googleauth/user_authorizer.rb index 59f4647..90c3761 100644 --- a/lib/googleauth/user_authorizer.rb +++ b/lib/googleauth/user_authorizer.rb @@ -271,10 +271,15 @@ module Google # @return [String] # Redirect URI def redirect_uri_for base_url - return @callback_uri unless URI(@callback_uri).scheme.nil? + return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil? raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil? URI.join(base_url, @callback_uri).to_s end + + # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed) + def uri_is_postmessage? uri + uri.to_s.casecmp("postmessage").zero? + end end end end diff --git a/spec/googleauth/user_authorizer_spec.rb b/spec/googleauth/user_authorizer_spec.rb index 5a36304..50f3f2f 100644 --- a/spec/googleauth/user_authorizer_spec.rb +++ b/spec/googleauth/user_authorizer_spec.rb @@ -80,7 +80,7 @@ describe Google::Auth::UserAuthorizer do expect(URI(uri).query).to_not match(/client_secret/) end - it "should include the callback uri" do + it "should include the redirect_uri" do expect(URI(uri).query).to match( %r{redirect_uri=https://www.example.com/oauth/callback} ) @@ -91,6 +91,25 @@ describe Google::Auth::UserAuthorizer do end end + context "when generating authorization URLs and callback_uri is 'postmessage'" do + let(:callback_uri) { "postmessage" } + let :authorizer do + Google::Auth::UserAuthorizer.new(client_id, + scope, + token_store, + callback_uri) + end + let :uri do + authorizer.get_authorization_url login_hint: "user1", state: "mystate" + end + + it "should include the redirect_uri 'postmessage'" do + expect(URI(uri).query).to match( + %r{redirect_uri=postmessage} + ) + end + end + context "when generating authorization URLs with user ID & state" do let :uri do authorizer.get_authorization_url login_hint: "user1", state: "mystate" @@ -253,6 +272,7 @@ describe Google::Auth::UserAuthorizer do user_id: "user1", code: "code" ) expect(credentials.access_token).to eq "1/abc123" + expect(credentials.redirect_uri.to_s).to eq "https://www.example.com/oauth/callback" end it "should not store credentials when get only requested" do