Commit Graph

2 Commits

Author SHA1 Message Date
lohit
4f4faec359 fix(oauth2): prevent false callback matches on root path URLs (#7315)
* fix(oauth2): prevent false callback matches on root path URLs and handle errors first

Move error check before callback URL matching in onWindowRedirect so
OAuth error responses are rejected immediately. Remove redundant error
param check from matchesCallbackUrl and require a code param or hash
fragment to match, preventing false positives on intermediate pages
when the callback URL is a root path like https://hostname/.

* fix(oauth2): clarify error handling comment

Remove "on the callback URL" from comment since error checking
now happens before callback URL matching.
2026-02-27 20:48:51 +05:30
Dakshin K
46df2e967f fix: Check OAuth2 redirect URL for matching callback URL and authorization code in query parameters (#2148)
* Check OAuth2 redirect URL for matching callback URL and authorization code in query parameters

In an Authorization code flow, there may be multiple intermediate redirects before reaching the final one which matches the callback URL and has a code in the query params.

We should wait until we see a redirect URI that matches both the conditions. This fixes the issue where, when a redirect contains `code` as a query param but is not the final one (i.e., is not to the callback URL) an error is thrown saying the callback URL is invalid.

Fixes #2147

* Add test cases for callback URL check

* Update check to cover URLs with same host but different endpoints
2024-05-31 15:41:31 +05:30