Commit ce089244 authored by Brendan Early's avatar Brendan Early
Browse files

Bug 1635344 - Allow launchWebAuthFlow redirect URI to be set to loopback address. r=robwu, a=RyanVM 

Differential Revision: https://phabricator.services.mozilla.com/D88738
parent e591e32a

toolkit/components/extensions/child/ext-identity.js

+11 −1
Original line number Diff line number Diff line
@@ -49,6 +49,13 @@ this.identity = class extends ExtensionAPI { 
          // Validate the url and retreive redirect_uri if it was provided.

          let url, redirectURI;

          let baseRedirectURL = this.getRedirectURL();



          // Allow using loopback address for native OAuth flows as some

          //  providers do not accept the URL provided by getRedirectURL.

          // For more context, see bug 1635344.

          let loopbackURL = `http://127.0.0.1/mozoauth2/${computeHash(

            extension.id

          )}`;

          try {

            url = new URL(details.url);

          } catch (e) {
@@ -58,7 +65,10 @@ this.identity = class extends ExtensionAPI { 
            redirectURI = new URL(

              url.searchParams.get("redirect_uri") || baseRedirectURL

            );

            if (!redirectURI.href.startsWith(baseRedirectURL)) {

            if (

              !redirectURI.href.startsWith(baseRedirectURL) &&

              !redirectURI.href.startsWith(loopbackURL)

            ) {

              return Promise.reject({ message: "redirect_uri not allowed" });

            }

          } catch (e) {

toolkit/components/extensions/test/mochitest/test_ext_identity.html

+31 −0
Original line number Diff line number Diff line
@@ -353,6 +353,37 @@ add_task(async function test_auto303Redirect() { 
  await extension.awaitMessage("done");

  await extension.unload();

});



add_task(async function test_loopbackRedirectURI() {

  let extension = ExtensionTestUtils.loadExtension({

    manifest: {

      applications: {

        gecko: {

          id: "identity@mozilla.org",

        },

      },

      permissions: ["identity"],

    },

    async background() {

      let redirectURL = "http://127.0.0.1/mozoauth2/35b64b676900f491c00e7f618d43f7040e88422e";

      let actualRedirect = await browser.identity.launchWebAuthFlow({

        interactive: true,

        url: `https://example.com/tests/toolkit/components/extensions/test/mochitest/oauth.html?redirect_uri=${encodeURIComponent(redirectURL)}`

      }).catch(error => {

        browser.test.fail(error.message)

      });

      browser.test.assertTrue(

        actualRedirect.startsWith(redirectURL),

        "Expected redirect url to be loopback address"

      )

      browser.test.sendMessage("done");

    },

  });



  await extension.startup();

  await extension.awaitMessage("done");

  await extension.unload();

});

</script>



</body>