check oauth2 authorization code redirect for exact 'code' query parameter (#1777)

Co-authored-by: Stefan Grüttner <stefan.gruettner@deutschebahn.com>
This commit is contained in:
Stefan 2024-03-22 14:13:12 +01:00 committed by GitHub
parent e278116356
commit 753ca4341f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -24,7 +24,7 @@ const authorizeUserInWindow = ({ authorizeUrl, callbackUrl, session }) => {
function onWindowRedirect(url) { function onWindowRedirect(url) {
// check if the url contains an authorization code // check if the url contains an authorization code
if (url.match(/(code=).*/)) { if (new URL(url).searchParams.has('code')) {
finalUrl = url; finalUrl = url;
if (!url || !finalUrl.includes(callbackUrl)) { if (!url || !finalUrl.includes(callbackUrl)) {
reject(new Error('Invalid Callback Url')); reject(new Error('Invalid Callback Url'));