mirror/api
1
0
Fork 0
mirror of https://github.com/unraid/api.git synced 2025-12-31 13:39:52 -06:00
Code Issues Packages Projects Releases Wiki Activity

feat: use state passing to validate requests

Browse Source
This commit is contained in:
Eli Bosley
2025-01-20 13:54:47 -05:00
parent aae38e3404
commit bd584902e0
1 changed files with 22 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
web/components/SsoButton.ce.vue
View File

@@ -24,31 +24,41 @@ const enterCallbackTokenIntoField = (token: string) => {
} }
}; };
const search = new URLSearchParams(window.location.search); const getStateToken = (): string | null => {
const token = search.get('token') ?? ''; const state = sessionStorage.getItem('sso_state');
if (token) { return state ?? null;
enterCallbackTokenIntoField(token); };
// Clear the token from the URL
window.history.replaceState({}, document.title, window.location.pathname);
window.location.search = '';
}
watch(queryParams, (newVal) => { const generateStateToken = (): string => {
if (newVal?.token) { const state =
enterCallbackTokenIntoField(newVal.token); Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
sessionStorage.setItem('sso_state', state);
return state;
};
onMounted(() => {
const search = new URLSearchParams(window.location.search);
const token = search.get('token') ?? '';
const state = search.get('state') ?? '';
const sessionState = getStateToken();
if (token && state === sessionState) {
enterCallbackTokenIntoField(token);
// Clear the token from the URL // Clear the token from the URL
window.history.replaceState({}, document.title, window.location.pathname); window.history.replaceState({}, document.title, window.location.pathname);
window.location.search = ''; window.location.search = '';
} }
}); });
const externalSSOUrl = computed(() => { const externalSSOUrl = computed<string>(() => {
if (props.subids === undefined) { if (props.subids === undefined) {
return ''; return '';
} }
const url = new URL('sso', ACCOUNT); const url = new URL('sso', ACCOUNT);
url.searchParams.append('uids', props.subids); url.searchParams.append('uids', props.subids);
const callbackUrlLogin = new URL('login', window.location.origin); const callbackUrlLogin = new URL('login', window.location.origin);
const state = generateStateToken();
callbackUrlLogin.searchParams.append('state', state);
url.searchParams.append('serverUrl', callbackUrlLogin.toString()); url.searchParams.append('serverUrl', callbackUrlLogin.toString());
return url.toString(); return url.toString();
}); });