Add whitelisted 'postmessage' to valid redirect URIs (#249)

closes: #92
This commit is contained in:
Chris Smith 2019-12-02 10:11:13 -07:00 committed by GitHub
parent 4928d44072
commit d80900156a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 5 deletions

View File

@ -7,9 +7,7 @@ AllCops:
- "Rakefile" - "Rakefile"
- "rakelib/**/*" - "rakelib/**/*"
Metrics/ClassLength: Metrics/ClassLength:
Max: 110 Max: 200
Exclude:
- "lib/googleauth/credentials.rb"
Metrics/ModuleLength: Metrics/ModuleLength:
Max: 110 Max: 110
Metrics/BlockLength: Metrics/BlockLength:

View File

@ -271,10 +271,15 @@ module Google
# @return [String] # @return [String]
# Redirect URI # Redirect URI
def redirect_uri_for base_url def redirect_uri_for base_url
return @callback_uri unless URI(@callback_uri).scheme.nil? return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil? raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
URI.join(base_url, @callback_uri).to_s URI.join(base_url, @callback_uri).to_s
end end
# Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
def uri_is_postmessage? uri
uri.to_s.casecmp("postmessage").zero?
end
end end
end end
end end

View File

@ -80,7 +80,7 @@ describe Google::Auth::UserAuthorizer do
expect(URI(uri).query).to_not match(/client_secret/) expect(URI(uri).query).to_not match(/client_secret/)
end end
it "should include the callback uri" do it "should include the redirect_uri" do
expect(URI(uri).query).to match( expect(URI(uri).query).to match(
%r{redirect_uri=https://www.example.com/oauth/callback} %r{redirect_uri=https://www.example.com/oauth/callback}
) )
@ -91,6 +91,25 @@ describe Google::Auth::UserAuthorizer do
end end
end end
context "when generating authorization URLs and callback_uri is 'postmessage'" do
let(:callback_uri) { "postmessage" }
let :authorizer do
Google::Auth::UserAuthorizer.new(client_id,
scope,
token_store,
callback_uri)
end
let :uri do
authorizer.get_authorization_url login_hint: "user1", state: "mystate"
end
it "should include the redirect_uri 'postmessage'" do
expect(URI(uri).query).to match(
%r{redirect_uri=postmessage}
)
end
end
context "when generating authorization URLs with user ID & state" do context "when generating authorization URLs with user ID & state" do
let :uri do let :uri do
authorizer.get_authorization_url login_hint: "user1", state: "mystate" authorizer.get_authorization_url login_hint: "user1", state: "mystate"
@ -253,6 +272,7 @@ describe Google::Auth::UserAuthorizer do
user_id: "user1", code: "code" user_id: "user1", code: "code"
) )
expect(credentials.access_token).to eq "1/abc123" expect(credentials.access_token).to eq "1/abc123"
expect(credentials.redirect_uri.to_s).to eq "https://www.example.com/oauth/callback"
end end
it "should not store credentials when get only requested" do it "should not store credentials when get only requested" do