STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Narrow the scope of the local server handler

Browse source 
Before, the local server handled any request regardless of path, which
could potentially include requests generated by the browser such as the
one for favicon. This could lead to race conditions around reading the
code to continue to OAuth flow with.

Now, have the OAuth flow redirect to `localhost:PORT/callback` and only
handle `/callback` requests specifically.
This commit is contained in:
Mislav Marohnić 2020-01-13 20:14:00 +01:00
parent 635d2963f6
commit bbeb558fce
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
auth/oauth.go
View file

@ -46,7 +46,7 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
q := url.Values{}
q.Set("client_id", oa.ClientID)
q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d", port))
q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d/callback", port))
q.Set("scope", "repo")
q.Set("state", state)
@ -57,6 +57,10 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
}
http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/callback" {
w.WriteHeader(404)
return
}
defer listener.Close()
rq := r.URL.Query()
if state != rq.Get("state") {