auth0
Strict check for URL params
By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
Current code checks if string code=, state=, error=. This causes issues if there is a substring that contains these strings. scode=, estate=, abceferror=. These all pass erroneously thinking it is an auto0 application. My app was failing because state was a substring of one of my url params.
This fix is to strictly check if there is a url param that exists and also is populated.
Testing
To test, currently functionality should still work when there is a code=, state= in the URL. However it should NOT continue now if there is a url with abccode=, defstate= or ghijerror= in the URL. All current tests pass with this change.
I also added a test to check that it does not call the redirect call back if the url params are abccode= or xyzstate=
- [x] This change adds test coverage for new/changed/fixed functionality
Checklist
- [x ] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
- [x ] All active GitHub checks for tests, formatting, and security are passing
- [x ] The correct base branch is being used, if not the default branch
Just a quick update ... Our SPA-JS SDK v2 has gone in beta, dropping support for IE11 and the like. We expect our Angular SDK to follow with a new beta as well, but not sooner then once SPA-JS has hit GA.
Will merge this PR in a beta branch once we are at that point. Thanks for this change 👍
