'oauth' was using 'btoa', but it's not supported in IE8-9. We already
had a base64 implementation in 'ejson', so I factored it out into its
own package used by 'ejson' and 'oauth'.
If you log in and out repeatedly, the popup would fail to close every few
times. My guess is that we can't close the OAuth popup while the last
navigation is still in progress.
Also clean up event listeners on popup exit.
* Be less XSS-able by HTML-encoding 'config' in the end-of-login
responses and reading it out of the DOM.
* Thread 'isCordova' through to end-of-login responses. Trying to do a
'window.close' in Cordova, even in a try/catch, breaks the in-app
browser.
* Remove some stray 'console.log's.
UIWebView which aren't able to use the preferred "popup" login flow.
See the specs for details:
https://meteor.hackpad.com/OAuth-redirect-flow-spec-PeziTcaNPDPhttps://meteor.hackpad.com/OAuth-redirect-flow-part-II-vswwUKP4vXe
I extracted code to construct a URL from the `http` package into a new
`url` utility package. The new package has no public API, it simply
has the original URL construction functions that were in `http` and
makes them available to oauth.
Fixes the Meetup account login, as Meetup now requires using
"https://api.meetup.com/2/members" instead of
"https://secure.meetup.com/2/members".
The `?close` parameter for the redirect URI is now not needed or used.
For backwards compatibility the `?close` parameter is included if the
login service configuration doesn't include the `loginStyle` field
(indicating it was created using old code).
We've occasionally seen weird configurations of IE where localStorage
isn't shared between same-origin windows, so trying window.opener first
is safer.
Using an onerror event handler looks like the only semi-reliable way to
be able to close the popup in iOS Chrome, even though it's almost
certainly a bug that this works. We'll replace it soon with
redirect-based OAuth.
The main changes are:
* The `isSafe` check happens before _endOfLoginResponse is called. If
_endOfLoginResponse gets a credential token/secret, then the values
are safe to include in HTML.
* _endOfLoginResponse gets a little more information about the request
(like the query string, and a string or Error describing any error
that occurred).
* We preserve the <=0.8.1.3 behavior where you have to pass ?close in
the query parameter to get the popup to be closed at the end of the
OAuth flow.
This code has never worked without some fairly serious client-side
surgery, and it now especially doesn't work because it doesn't
communicate the credentialSecret back to the app. Rather than leave an
untested, unQA-ed code path in core, apps that are using the ?redirect
flow can just override `OAuth._endOfLoginResponse` to do the redirect
themselves.
