From 59df0404ae1540139a4a693262f06432385f0005 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Thu, 12 Dec 2024 15:41:29 +0800 Subject: [PATCH 1/3] fix: return error early for redirects --- src/GoTrueClient.ts | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts index b01b16e0..99c40519 100644 --- a/src/GoTrueClient.ts +++ b/src/GoTrueClient.ts @@ -1423,14 +1423,24 @@ export default class GoTrueClient { > { try { if (!isBrowser()) throw new AuthImplicitGrantRedirectError('No browser detected.') + + const params = parseParametersFromURL(window.location.href) + if (params.error || params.error_description || params.error_code) { + throw new AuthImplicitGrantRedirectError( + params.error_description || 'Error in URL with unspecified error_description', + { + error: params.error || 'unspecified_error', + code: params.error_code || 'unspecified_code', + } + ) + } + if (this.flowType === 'implicit' && !this._isImplicitGrantFlow()) { throw new AuthImplicitGrantRedirectError('Not a valid implicit grant flow url.') } else if (this.flowType == 'pkce' && !isPKCEFlow) { throw new AuthPKCEGrantCodeExchangeError('Not a valid PKCE flow url.') } - const params = parseParametersFromURL(window.location.href) - if (isPKCEFlow) { if (!params.code) throw new AuthPKCEGrantCodeExchangeError('No code detected.') const { data, error } = await this._exchangeCodeForSession(params.code) @@ -1444,16 +1454,6 @@ export default class GoTrueClient { return { data: { session: data.session, redirectType: null }, error: null } } - if (params.error || params.error_description || params.error_code) { - throw new AuthImplicitGrantRedirectError( - params.error_description || 'Error in URL with unspecified error_description', - { - error: params.error || 'unspecified_error', - code: params.error_code || 'unspecified_code', - } - ) - } - const { provider_token, provider_refresh_token, From 039727d2660098f5a80d8ddec6e5b6576de75ed1 Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Thu, 12 Dec 2024 16:18:25 +0800 Subject: [PATCH 2/3] chore: add comments --- src/GoTrueClient.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts index 99c40519..2faf0f12 100644 --- a/src/GoTrueClient.ts +++ b/src/GoTrueClient.ts @@ -1425,7 +1425,11 @@ export default class GoTrueClient { if (!isBrowser()) throw new AuthImplicitGrantRedirectError('No browser detected.') const params = parseParametersFromURL(window.location.href) + + // If there's an error in the URL, it doesn't matter what flow it is, we just return the error. if (params.error || params.error_description || params.error_code) { + // The error class returned implies that the redirect is from an implicit grant flow + // but it could also be from a redirect error from a PKCE flow. throw new AuthImplicitGrantRedirectError( params.error_description || 'Error in URL with unspecified error_description', { @@ -1435,6 +1439,7 @@ export default class GoTrueClient { ) } + // Checks for mismatches between the flowType initialised in the client and the URL parameters if (this.flowType === 'implicit' && !this._isImplicitGrantFlow()) { throw new AuthImplicitGrantRedirectError('Not a valid implicit grant flow url.') } else if (this.flowType == 'pkce' && !isPKCEFlow) { From b0e7050e80226ba5a05848fa924a381f2680774d Mon Sep 17 00:00:00 2001 From: Kang Ming Date: Thu, 12 Dec 2024 16:41:49 +0800 Subject: [PATCH 3/3] chore(refactor): reduce parsing query params unnecessarily --- src/GoTrueClient.ts | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts index 2faf0f12..0dae63e9 100644 --- a/src/GoTrueClient.ts +++ b/src/GoTrueClient.ts @@ -307,11 +307,8 @@ export default class GoTrueClient { */ private async _initialize(): Promise { try { - const isPKCEFlow = isBrowser() ? await this._isPKCEFlow() : false - this._debug('#_initialize()', 'begin', 'is PKCE flow', isPKCEFlow) - - if (isPKCEFlow || (this.detectSessionInUrl && this._isImplicitGrantFlow())) { - const { data, error } = await this._getSessionFromURL(isPKCEFlow) + if (isBrowser() && this.detectSessionInUrl) { + const { data, error } = await this._getSessionFromURL() if (error) { this._debug('#_initialize()', 'error detecting session from URL', error) @@ -1414,7 +1411,7 @@ export default class GoTrueClient { /** * Gets the session data from a URL string */ - private async _getSessionFromURL(isPKCEFlow: boolean): Promise< + private async _getSessionFromURL(): Promise< | { data: { session: Session; redirectType: string | null } error: null @@ -1439,14 +1436,23 @@ export default class GoTrueClient { ) } + const isRedirectFromImplicitGrantFlow = this._isImplicitGrantFlow(params) + const isRedirectFromPKCEFlow = await this._isPKCEFlow(params) + // Checks for mismatches between the flowType initialised in the client and the URL parameters - if (this.flowType === 'implicit' && !this._isImplicitGrantFlow()) { - throw new AuthImplicitGrantRedirectError('Not a valid implicit grant flow url.') - } else if (this.flowType == 'pkce' && !isPKCEFlow) { - throw new AuthPKCEGrantCodeExchangeError('Not a valid PKCE flow url.') + if (!isRedirectFromImplicitGrantFlow && !isRedirectFromPKCEFlow) { + if (this.flowType === 'implicit') { + throw new AuthImplicitGrantRedirectError('Not a valid implicit grant flow url.') + } else if (this.flowType === 'pkce') { + throw new AuthPKCEGrantCodeExchangeError('Not a valid PKCE flow url.') + } else { + throw new AuthError('Invalid flow type.') + } } - if (isPKCEFlow) { + // Since this is a redirect for PKCE, we attempt to retrieve the code from the URL for the code exchange + if (isRedirectFromPKCEFlow) { + this._debug('#_initialize()', 'begin', 'is PKCE flow', isRedirectFromPKCEFlow) if (!params.code) throw new AuthPKCEGrantCodeExchangeError('No code detected.') const { data, error } = await this._exchangeCodeForSession(params.code) if (error) throw error @@ -1536,24 +1542,20 @@ export default class GoTrueClient { /** * Checks if the current URL contains parameters given by an implicit oauth grant flow (https://www.rfc-editor.org/rfc/rfc6749.html#section-4.2) */ - private _isImplicitGrantFlow(): boolean { - const params = parseParametersFromURL(window.location.href) - - return !!(isBrowser() && (params.access_token || params.error_description)) + private _isImplicitGrantFlow(params: { [parameter: string]: string }): boolean { + return !!((params.access_token || params.error_description) && this.flowType === 'implicit') } /** * Checks if the current URL and backing storage contain parameters given by a PKCE flow */ - private async _isPKCEFlow(): Promise { - const params = parseParametersFromURL(window.location.href) - + private async _isPKCEFlow(params: { [parameter: string]: string }): Promise { const currentStorageContent = await getItemAsync( this.storage, `${this.storageKey}-code-verifier` ) - return !!(params.code && currentStorageContent) + return !!(params.code && currentStorageContent && this.flowType === 'pkce') } /**