From bbeb558fce0be4fe0f99167167a97a05707b4b60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mislav=20Marohni=C4=87?= Date: Mon, 13 Jan 2020 20:14:00 +0100 Subject: [PATCH] Narrow the scope of the local server handler Before, the local server handled any request regardless of path, which could potentially include requests generated by the browser such as the one for favicon. This could lead to race conditions around reading the code to continue to OAuth flow with. Now, have the OAuth flow redirect to `localhost:PORT/callback` and only handle `/callback` requests specifically. --- auth/oauth.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/auth/oauth.go b/auth/oauth.go index 5e03d9a3b..84dbe9c78 100644 --- a/auth/oauth.go +++ b/auth/oauth.go @@ -46,7 +46,7 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) { q := url.Values{} q.Set("client_id", oa.ClientID) - q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d", port)) + q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d/callback", port)) q.Set("scope", "repo") q.Set("state", state) @@ -57,6 +57,10 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) { } http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != "/callback" { + w.WriteHeader(404) + return + } defer listener.Close() rq := r.URL.Query() if state != rq.Get("state") {