@oxyhq/core 2.2.0 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/.tsbuildinfo +1 -1
- package/dist/cjs/mixins/OxyServices.popup.js +15 -4
- package/dist/esm/.tsbuildinfo +1 -1
- package/dist/esm/mixins/OxyServices.popup.js +15 -4
- package/dist/types/.tsbuildinfo +1 -1
- package/dist/types/mixins/OxyServices.popup.d.ts +19 -0
- package/package.json +1 -1
- package/src/mixins/OxyServices.popup.ts +36 -4
|
@@ -187,17 +187,25 @@ export function OxyServicesPopupAuthMixin(Base) {
|
|
|
187
187
|
const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
|
|
188
188
|
const nonce = this.generateNonce();
|
|
189
189
|
const clientId = window.location.origin;
|
|
190
|
+
// Resolve the IdP origin for the iframe. An explicit per-apex override (the
|
|
191
|
+
// durable cross-domain reload path — see `SilentAuthOptions.authWebUrlOverride`)
|
|
192
|
+
// wins over the instance's configured central auth URL. The SAME origin is
|
|
193
|
+
// handed to `waitForIframeAuth` so the postMessage origin check matches the
|
|
194
|
+
// exact host the iframe was loaded from.
|
|
195
|
+
const authOrigin = options.authWebUrlOverride && options.authWebUrlOverride.length > 0
|
|
196
|
+
? options.authWebUrlOverride
|
|
197
|
+
: this.resolveAuthUrl();
|
|
190
198
|
const iframe = document.createElement('iframe');
|
|
191
199
|
iframe.style.display = 'none';
|
|
192
200
|
iframe.style.position = 'absolute';
|
|
193
201
|
iframe.style.width = '0';
|
|
194
202
|
iframe.style.height = '0';
|
|
195
203
|
iframe.style.border = 'none';
|
|
196
|
-
const silentUrl = `${
|
|
204
|
+
const silentUrl = `${authOrigin}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
|
|
197
205
|
iframe.src = silentUrl;
|
|
198
206
|
document.body.appendChild(iframe);
|
|
199
207
|
try {
|
|
200
|
-
const session = await this.waitForIframeAuth(iframe, timeout,
|
|
208
|
+
const session = await this.waitForIframeAuth(iframe, timeout, authOrigin);
|
|
201
209
|
// Bail early on incomplete responses. The iframe contract requires
|
|
202
210
|
// both an access token and a session id; anything less is unusable.
|
|
203
211
|
// Returning `null` here (without installing the token) prevents a
|
|
@@ -385,8 +393,11 @@ export function OxyServicesPopupAuthMixin(Base) {
|
|
|
385
393
|
resolve(null); // Silent failure - don't throw
|
|
386
394
|
}, timeout);
|
|
387
395
|
const messageHandler = (event) => {
|
|
388
|
-
// Verify origin
|
|
389
|
-
|
|
396
|
+
// Verify origin against the EXACT host the iframe was loaded from
|
|
397
|
+
// (`expectedOrigin`). For the per-apex durable-restore path this is
|
|
398
|
+
// `auth.<rp-apex>`, not the instance's central `resolveAuthUrl()` — so
|
|
399
|
+
// we must honour the caller-supplied origin, never re-derive it here.
|
|
400
|
+
if (event.origin !== expectedOrigin) {
|
|
390
401
|
return;
|
|
391
402
|
}
|
|
392
403
|
const { type, session } = event.data;
|