@auth/core - npm Package Compare versions

Comparing version 0.0.0-159ab8c31 to 0.0.0-6fe1c36bf

lib/oauth/authorization-url.js

@@ -37,6 +37,5 @@ import * as checks from "./checks.js";
     const cookies = [];
-    const data = provider.redirectProxy &&
-        !options.url.origin?.startsWith(provider.redirectProxy)
-        ? { origin: provider.callbackUrl }
-        : undefined;
+    // TODO: verify that comparison is safe
+    const isOriginProxy = provider.redirectProxy?.startsWith(options.url.origin);
+    const data = isOriginProxy ? undefined : { origin: provider.callbackUrl };
     const state = await checks.state.create(options, data);
@@ -43,0 +42,0 @@ if (state) {

lib/oauth/checks.js

@@ -92,3 +92,4 @@ import * as o from "oauth4webapi";
             throw new InvalidState("Could not parse state cookie.");
-        if (options.provider.redirectProxy) {
+        const isOriginProxy = provider.redirectProxy?.startsWith(options.url.origin);
+        if (!isOriginProxy) {
             if (!paramRandom)
@@ -95,0 +96,0 @@ throw new InvalidState("Random state was missing in the decoded `state` parameter, but required when using `redirectProxy`.");

lib/routes/callback.js

@@ -16,8 +16,9 @@ import { handleLogin } from "../callback-handler.js";
             let randomState;
-            if (provider.redirectProxy) {
-                const state = decodeState(query?.state);
+            // TODO: verify that comparison is safe
+            const isOriginProxy = provider.redirectProxy?.startsWith(options.url.origin);
+            if (isOriginProxy && query?.state) {
+                const state = decodeState(query.state);
                 randomState = state?.random;
                 // TODO: verify that redirect is safe
-                if (state?.origin &&
-                    provider.redirectProxy?.startsWith(options.url.origin)) {
+                if (state?.origin) {
                     return { redirect: `${state.origin}?${new URLSearchParams(query)}` };
@@ -24,0 +25,0 @@ }

lib/web.js

@@ -70,3 +70,3 @@ import { parse as parseCookie, serialize } from "cookie";
             headers.set("Set-Cookie", cookieHeader);
-        headers.set("Set-Cookie", cookieHeader); // TODO: Remove. Seems to be a bug with Headers in the runtime
+        // headers.set("Set-Cookie", cookieHeader) // TODO: Remove. Seems to be a bug with Headers in the runtime
     });
@@ -73,0 +73,0 @@ let body = res.body;

package.json

 {
   "name": "@auth/core",
-  "version": "0.0.0-159ab8c31",
+  "version": "0.0.0-6fe1c36bf",
   "description": "Authentication for the Web.",
@@ -5,0 +5,0 @@ "keywords": [

src/lib/oauth/authorization-url.ts

@@ -61,7 +61,5 @@ import * as checks from "./checks.js"
 
-  const data =
-    provider.redirectProxy &&
-    !options.url.origin?.startsWith(provider.redirectProxy)
-      ? { origin: provider.callbackUrl }
-      : undefined
+  // TODO: verify that comparison is safe
+  const isOriginProxy = provider.redirectProxy?.startsWith(options.url.origin)
+  const data = isOriginProxy ? undefined : { origin: provider.callbackUrl }
 
@@ -68,0 +66,0 @@ const state = await checks.state.create(options, data)

src/lib/oauth/checks.ts

@@ -135,3 +135,4 @@ import * as o from "oauth4webapi"
 
-    if (options.provider.redirectProxy) {
+    const isOriginProxy = provider.redirectProxy?.startsWith(options.url.origin)
+    if (!isOriginProxy) {
       if (!paramRandom)
@@ -138,0 +139,0 @@ throw new InvalidState(

src/lib/routes/callback.ts

@@ -49,5 +49,9 @@ import { handleLogin } from "../callback-handler.js"
 
-      if (provider.redirectProxy) {
+      // TODO: verify that comparison is safe
+      const isOriginProxy = provider.redirectProxy?.startsWith(
+        options.url.origin
+      )
+      if (isOriginProxy && query?.state) {
         const state = decodeState<{ origin: string; random: string }>(
-          query?.state
+          query.state
         )
@@ -58,6 +62,3 @@
         // TODO: verify that redirect is safe
-        if (
-          state?.origin &&
-          provider.redirectProxy?.startsWith(options.url.origin)
-        ) {
+        if (state?.origin) {
           return { redirect: `${state.origin}?${new URLSearchParams(query)}` }
@@ -64,0 +65,0 @@ }

src/lib/web.ts

@@ -81,3 +81,3 @@ import { parse as parseCookie, serialize } from "cookie"
     else headers.set("Set-Cookie", cookieHeader)
-    headers.set("Set-Cookie", cookieHeader) // TODO: Remove. Seems to be a bug with Headers in the runtime
+    // headers.set("Set-Cookie", cookieHeader) // TODO: Remove. Seems to be a bug with Headers in the runtime
   })
@@ -84,0 +84,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

790044

increased by0.04%

Lines of code

19958

increased by0.01%

No dependency changes