@oxyhq/core 2.2.0 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/.tsbuildinfo +1 -1
- package/dist/cjs/mixins/OxyServices.popup.js +15 -4
- package/dist/esm/.tsbuildinfo +1 -1
- package/dist/esm/mixins/OxyServices.popup.js +15 -4
- package/dist/types/.tsbuildinfo +1 -1
- package/dist/types/mixins/OxyServices.popup.d.ts +19 -0
- package/package.json +1 -1
- package/src/mixins/OxyServices.popup.ts +36 -4
|
@@ -191,17 +191,25 @@ function OxyServicesPopupAuthMixin(Base) {
|
|
|
191
191
|
const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
|
|
192
192
|
const nonce = this.generateNonce();
|
|
193
193
|
const clientId = window.location.origin;
|
|
194
|
+
// Resolve the IdP origin for the iframe. An explicit per-apex override (the
|
|
195
|
+
// durable cross-domain reload path — see `SilentAuthOptions.authWebUrlOverride`)
|
|
196
|
+
// wins over the instance's configured central auth URL. The SAME origin is
|
|
197
|
+
// handed to `waitForIframeAuth` so the postMessage origin check matches the
|
|
198
|
+
// exact host the iframe was loaded from.
|
|
199
|
+
const authOrigin = options.authWebUrlOverride && options.authWebUrlOverride.length > 0
|
|
200
|
+
? options.authWebUrlOverride
|
|
201
|
+
: this.resolveAuthUrl();
|
|
194
202
|
const iframe = document.createElement('iframe');
|
|
195
203
|
iframe.style.display = 'none';
|
|
196
204
|
iframe.style.position = 'absolute';
|
|
197
205
|
iframe.style.width = '0';
|
|
198
206
|
iframe.style.height = '0';
|
|
199
207
|
iframe.style.border = 'none';
|
|
200
|
-
const silentUrl = `${
|
|
208
|
+
const silentUrl = `${authOrigin}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
|
|
201
209
|
iframe.src = silentUrl;
|
|
202
210
|
document.body.appendChild(iframe);
|
|
203
211
|
try {
|
|
204
|
-
const session = await this.waitForIframeAuth(iframe, timeout,
|
|
212
|
+
const session = await this.waitForIframeAuth(iframe, timeout, authOrigin);
|
|
205
213
|
// Bail early on incomplete responses. The iframe contract requires
|
|
206
214
|
// both an access token and a session id; anything less is unusable.
|
|
207
215
|
// Returning `null` here (without installing the token) prevents a
|
|
@@ -389,8 +397,11 @@ function OxyServicesPopupAuthMixin(Base) {
|
|
|
389
397
|
resolve(null); // Silent failure - don't throw
|
|
390
398
|
}, timeout);
|
|
391
399
|
const messageHandler = (event) => {
|
|
392
|
-
// Verify origin
|
|
393
|
-
|
|
400
|
+
// Verify origin against the EXACT host the iframe was loaded from
|
|
401
|
+
// (`expectedOrigin`). For the per-apex durable-restore path this is
|
|
402
|
+
// `auth.<rp-apex>`, not the instance's central `resolveAuthUrl()` — so
|
|
403
|
+
// we must honour the caller-supplied origin, never re-derive it here.
|
|
404
|
+
if (event.origin !== expectedOrigin) {
|
|
394
405
|
return;
|
|
395
406
|
}
|
|
396
407
|
const { type, session } = event.data;
|