Skip to content

Commit 5500835

Browse files
committed
fix(oauth): relax redirectUri state validation
1 parent 99c9c1d commit 5500835

1 file changed

Lines changed: 12 additions & 3 deletions

File tree

app/src/lib/policies/github/oauthPkce.ts

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -159,12 +159,21 @@ export async function completeGithubPkceCallback(url: URL): Promise<GithubPkceCa
159159
safeRemoveLocalStorage(sessionKey);
160160
}
161161

162-
const availability = getGithubPkceAvailability();
163-
if (!availability.supported) return { ok: false, errorKey: 'errors.githubPkceUnsupported' };
164-
if (normalizeRedirectUri(availability.redirectUri) !== normalizeRedirectUri(session.redirectUri)) {
162+
// State-keyed session storage already provides CSRF protection.
163+
// Additional redirect_uri equality checks are brittle on GitHub Pages (base path + caching + 404 fallback).
164+
// We only require same-origin to avoid mixing sessions across sites.
165+
try {
166+
const expectedOrigin = window.location.origin;
167+
if (new URL(session.redirectUri).origin !== expectedOrigin) {
168+
return { ok: false, errorKey: 'errors.githubStateValidation' };
169+
}
170+
} catch {
165171
return { ok: false, errorKey: 'errors.githubStateValidation' };
166172
}
167173

174+
const availability = getGithubPkceAvailability();
175+
if (!availability.supported) return { ok: false, errorKey: 'errors.githubPkceUnsupported' };
176+
168177
try {
169178
const proxyUrl = getOauthProxyUrl();
170179
if (!proxyUrl) {

0 commit comments

Comments
 (0)