github/meteor
1
1
Fork 0
mirror of https://github.com/meteor/meteor.git synced 2026-05-02 03:01:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

Allow end-of-OAuth redirect URLs to be 127.0.0.1.

Browse Source 
We were being too restrictive about validating our redirect at the end
of the OAuth redirect flow: 127.0.0.1 is okay even if ROOT_URL is
localhost.
This commit is contained in:
Emily Stark
2014-09-09 21:28:08 -07:00
parent 63381e5ee4
commit f4e100dc14
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
packages/oauth/oauth_server.js
View File

@@ -370,7 +370,12 @@ OAuth._endOfLoginResponse = function (res, details) {
if (details.loginStyle === 'redirect') {
redirectUrl = OAuth._stateFromQuery(details.query).redirectUrl;
var appHost = Meteor.absoluteUrl();
if (redirectUrl.substr(0, appHost.length) !== appHost) {
var appHostReplacedLocalhost = Meteor.absoluteUrl(undefined, {
replaceLocalhost: true
});
if (redirectUrl.substr(0, appHost.length) !== appHost &&
redirectUrl.substr(0, appHostReplacedLocalhost.length) !==
appHostReplacedLocalhost) {
details.error = "redirectUrl (" + redirectUrl +
") is not on the same host as the app (" + appHost + ")";
redirectUrl = appHost;