Skip to content

Commit

Permalink
Merge pull request #564 from michielvangendt/main
Browse files Browse the repository at this point in the history
Include message body in 302 responses
  • Loading branch information
adamjmcgrath authored Dec 23, 2021
2 parents b423b57 + 336dc32 commit 472ea26
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 6 deletions.
3 changes: 2 additions & 1 deletion src/auth0-session/handlers/callback.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import { ClientFactory } from '../client';
import TransientStore from '../transient-store';
import { decodeState } from '../hooks/get-login-state';
import { SessionCache } from '../session-cache';
import { htmlSafe } from '../../utils/errors';

function getRedirectUri(config: Config): string {
return urlJoin(config.baseURL, config.routes.callback);
Expand Down Expand Up @@ -69,6 +70,6 @@ export default function callbackHandlerFactory(
res.writeHead(302, {
Location: openidState.returnTo || config.baseURL
});
res.end();
res.end(htmlSafe(openidState.returnTo || config.baseURL));
};
}
3 changes: 2 additions & 1 deletion src/auth0-session/handlers/login.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import TransientStore, { StoreOptions } from '../transient-store';
import { encodeState } from '../hooks/get-login-state';
import { ClientFactory } from '../client';
import createDebug from '../utils/debug';
import { htmlSafe } from '../../utils/errors';

const debug = createDebug('handlers');

Expand Down Expand Up @@ -92,6 +93,6 @@ export default function loginHandlerFactory(
res.writeHead(302, {
Location: authorizationUrl
});
res.end();
res.end(htmlSafe(authorizationUrl));
};
}
7 changes: 4 additions & 3 deletions src/auth0-session/handlers/logout.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import createDebug from '../utils/debug';
import { Config, LogoutOptions } from '../config';
import { ClientFactory } from '../client';
import { SessionCache } from '../session-cache';
import { htmlSafe } from '../../utils/errors';

const debug = createDebug('logout');

Expand All @@ -28,7 +29,7 @@ export default function logoutHandlerFactory(
res.writeHead(302, {
Location: returnURL
});
res.end();
res.end(htmlSafe(returnURL));
return;
}

Expand All @@ -40,7 +41,7 @@ export default function logoutHandlerFactory(
res.writeHead(302, {
Location: returnURL
});
res.end();
res.end(htmlSafe(returnURL));
return;
}

Expand All @@ -54,6 +55,6 @@ export default function logoutHandlerFactory(
res.writeHead(302, {
Location: returnURL
});
res.end();
res.end(htmlSafe(returnURL));
};
}
2 changes: 1 addition & 1 deletion src/utils/errors.ts
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ export class AccessTokenError extends Error {

// eslint-disable-next-line max-len
// Basic escaping for putting untrusted data directly into the HTML body, per: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
function htmlSafe(input: string): string {
export function htmlSafe(input: string): string {
return input
.replace(/&/g, '&')
.replace(/</g, '&lt;')
Expand Down

0 comments on commit 472ea26

Please sign in to comment.