openapi-explorer 1.0.534 → 1.0.537

package/dist/es/openapi-explorer.js

@@ -480,6 +480,13 @@ export default class OpenApiExplorer extends LitElement {
       this.resolvedSpec = null;
       console.error('OpenAPI Explorer: Unable to resolve the API spec..', err); // eslint-disable-line no-console
     }
+
+    try {
+      await checkForAuthToken.call(this);
+    } catch (error) {
+      // eslint-disable-next-line no-console
+      console.error('Failed to check for authentication token', error);
+    }
   } // Public Method
 
 

package/dist/es/templates/security-scheme-template.js

@@ -163,11 +163,22 @@ export async function checkForAuthToken(redirectToApiLocation) {
 
   const sanitizedUrlWithHash = newUrl.toString().replace(/#((code|state|access_token|id_token|authuser|expires_in|hd|prompt|scope|token_type)=[^&]+&?)*$/ig, '');
   history.replaceState({}, undefined, sanitizedUrlWithHash);
+  let parsedState;
+
+  try {
+    // If somehow the state contains a question mark, just remove it, a ? is not a valid here
+    parsedState = JSON.parse(base64url.decode(parameters.state.replace(/\?.*$/, '')));
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.error('The state parameter in the OAuth response is invalid', error, parameters.state);
+    return;
+  }
+
   const {
     apiKeyId,
     flowId,
     url
-  } = JSON.parse(base64url.decode(parameters.state));
+  } = parsedState;
 
   if (redirectToApiLocation && url && !parameters.redirect_auth) {
     const apiExplorerLocation = new URL(url);

package/dist/lib/openapi-explorer.js

@@ -521,6 +521,13 @@ class OpenApiExplorer extends _lit.LitElement {
       this.resolvedSpec = null;
       console.error('OpenAPI Explorer: Unable to resolve the API spec..', err); // eslint-disable-line no-console
     }
+
+    try {
+      await _securitySchemeTemplate.checkForAuthToken.call(this);
+    } catch (error) {
+      // eslint-disable-next-line no-console
+      console.error('Failed to check for authentication token', error);
+    }
   } // Public Method
 
 

package/dist/lib/templates/security-scheme-template.js

@@ -176,11 +176,22 @@ async function checkForAuthToken(redirectToApiLocation) {
 
   const sanitizedUrlWithHash = newUrl.toString().replace(/#((code|state|access_token|id_token|authuser|expires_in|hd|prompt|scope|token_type)=[^&]+&?)*$/ig, '');
   history.replaceState({}, undefined, sanitizedUrlWithHash);
+  let parsedState;
+
+  try {
+    // If somehow the state contains a question mark, just remove it, a ? is not a valid here
+    parsedState = JSON.parse(_base64url.default.decode(parameters.state.replace(/\?.*$/, '')));
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.error('The state parameter in the OAuth response is invalid', error, parameters.state);
+    return;
+  }
+
   const {
     apiKeyId,
     flowId,
     url
-  } = JSON.parse(_base64url.default.decode(parameters.state));
+  } = parsedState;
 
   if (redirectToApiLocation && url && !parameters.redirect_auth) {
     const apiExplorerLocation = new URL(url);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openapi-explorer",
-  "version": "1.0.534",
+  "version": "1.0.537",
   "description": "OpenAPI Explorer - API viewer with dynamically generated components, documentation, and interaction console",
   "author": "Rhosys Developers <developers@rhosys.ch>",
   "type": "module",