Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix "Mismatching redirect URL" #3103

Merged
merged 3 commits into from
Aug 28, 2023
Merged

Fix "Mismatching redirect URL" #3103

merged 3 commits into from
Aug 28, 2023

Conversation

NSeydoux
Copy link
Contributor

This PR fixes bug #2891.

This bug was caused by an invalid redirect URL stored with session data. Saving an invalid redirect URL is now prohibited, and in addition the storage of users impacted by this bug will be cleared so that they don't have to do anything manually to clear their local storage. Users affected by this bug will be asked to log back in, as if they logged out.

  • I've added a unit test to test for potential regressions of this bug.
  • The changelog has been updated, if applicable.
  • Commits in this PR are minimal and have descriptive commit messages.

@NSeydoux
Forbid invalid redirect URLs
b64065e 
The client could register redirect URLs including OpenID Connect query
parameters.
@NSeydoux
Clear storage on invalid redirect URL persisted
e549152 
If the stored redirect URL is invalid, the silent login will end up in
an error. To prevent this crash from happening, when an invalid redirect
URL, the storage is cleared, so that the user has to properly log back
in.
@NSeydoux
Update changelog
08a90df
@NSeydoux NSeydoux force-pushed the fix/SDK-3140_prevent-invalid-redirect-url branch from 34dc69f to 08a90df Compare August 28, 2023 09:55
@NSeydoux NSeydoux temporarily deployed to ESS PodSpaces August 28, 2023 09:56 — with GitHub Actions Inactive
@NSeydoux NSeydoux temporarily deployed to ESS PodSpaces August 28, 2023 09:56 — with GitHub Actions Inactive
@NSeydoux NSeydoux temporarily deployed to ESS PodSpaces August 28, 2023 09:56 — with GitHub Actions Inactive
@NSeydoux NSeydoux temporarily deployed to ESS PodSpaces August 28, 2023 09:56 — with GitHub Actions Inactive
@NSeydoux NSeydoux temporarily deployed to ESS Dev-2-2 August 28, 2023 09:56 — with GitHub Actions Inactive
@NSeydoux NSeydoux marked this pull request as ready for review August 28, 2023 12:04
@NSeydoux NSeydoux requested a review from a team as a code owner August 28, 2023 12:04
@NSeydoux NSeydoux mentioned this pull request Aug 28, 2023
Open
5 tasks
jeswr
jeswr reviewed Aug 28, 2023
View reviewed changes
packages/browser/src/sessionInfo/SessionInfoManager.ts
}),
]);

if (typeof redirectUrl === "string" && !isValidRedirectUrl(redirectUrl)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there cases where this could be valid but still not the correct redirect url?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potentially, but it would become harder for the library to pick that up. One issue is that the failure happens out of the domain of the client, so the client is not informed that the OpenID Provider errors on their redirect_url, and there is no way for the client to look up what redirect URL has been registered by the client at dynamic registration.

I'm not even sure how the bad redirect URL gets in storage in the first place, but I suspect that using window.location.href plays a role. In that case, a likely cause of failure is picking up the OpenID query params (which is the observed cause of the bug in the reproduced issues).

If what you describe is indeed an issue, we'll need to figure out how to prevent it from happening, but for the time being I think it is low probabllity enough that we don't work on a fix for the time being.

@NSeydoux NSeydoux merged commit 8460a62 into main Aug 28, 2023
20 of 23 checks passed
@NSeydoux NSeydoux deleted the fix/SDK-3140_prevent-invalid-redirect-url branch August 28, 2023 12:51
mrkvon added a commit to solidcouch/solidcouch that referenced this pull request Sep 18, 2023
@mrkvon
Fix "Mismatching redirect uri" error
1e7b556 
by upgrading @inrupt/solid-client-authn-browser to latest version

nodeSolidServer/node-solid-server#1729
inrupt/solid-client-authn-js#2891
inrupt/solid-client-authn-js#3103
@mrkvon mrkvon mentioned this pull request Sep 18, 2023
Merged
mrkvon added a commit to solidcouch/solidcouch that referenced this pull request Sep 18, 2023
@mrkvon
Fix "Mismatching redirect uri" error (#55)
d1c38c6 
by upgrading @inrupt/solid-client-authn-browser to latest version

nodeSolidServer/node-solid-server#1729
inrupt/solid-client-authn-js#2891
inrupt/solid-client-authn-js#3103
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeswr jeswr jeswr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NSeydoux @jeswr