OAuth security hardening & bug fixes from PR review

ReadMe.md

@@ -28,7 +28,7 @@ Before connecting ElectronForce to a Salesforce org you need to create an Extern
 5. Set the **Distribution State** to **Local** (for use only in this org).
 6. Save the app, then open it and enable the **OAuth Plugin**.
 7. In the OAuth plugin settings, set the **Callback URL** to `http://localhost:3835/callback`.
-8. Add the following **OAuth Scopes**: `api` and `refresh_token, offline_access`.
+8. Add the following **OAuth Scopes**: `api` and `refresh_token`.
 9. Save. Copy the **Consumer Key** (Client ID) and **Consumer Secret** from the OAuth plugin detail page.
 
 For full details see the Salesforce Help article [Create an External Client App](https://help.salesforce.com/s/articleView?id=xcloud.create_a_local_external_client_app.htm&type=5).

app/render.js

@@ -749,7 +749,9 @@ window.api.receive('response_permset_detail', (data) => {
 window.api.receive('response_settings', (data) => {
   if (data.response) {
     document.getElementById('settings-consumer-key').value = data.response.consumerKey ?? '';
-    document.getElementById('settings-consumer-secret').value = data.response.consumerSecret ?? '';
+    if ('consumerSecret' in data.response) {
+      document.getElementById('settings-consumer-secret').value = data.response.consumerSecret ?? '';
+    }
     document.getElementById('settings-login-url').value = data.response.loginUrl || 'https://login.salesforce.com';
     document.getElementById('settings-callback-port').value = data.response.callbackPort ?? 3835;
   }

main.js

@@ -78,19 +78,18 @@ app.on('window-all-closed', () => {
 // Extra security filters.
 // See also: https://github.com/reZach/secure-electron-template
 app.on('web-contents-created', (event, contents) => {
-  // Block navigation to any non-file:// URL.
-  // The app only ever loads local file:// pages; external URLs (including OAuth
-  // authorization URLs) are opened via shell.openExternal and never cause
-  // Electron navigation. The OAuth localhost callback is handled by the HTTP
-  // server in src/electronForce.js, not by Electron navigation events.
+  // Restrict navigation to the application's own index.html only.
+  // External URLs (including OAuth authorization URLs) are opened via
+  // shell.openExternal and never trigger Electron navigation events.
   // https://electronjs.org/docs/tutorial/security#12-disable-or-limit-navigation
+  const indexUrl = `file://${path.join(app.getAppPath(), 'app', 'index.html')}`;
   contents.on('will-navigate', (navevent, url) => {
-    if (!url.startsWith('file://')) {
+    if (url !== indexUrl) {
       navevent.preventDefault();
     }
   });
   contents.on('will-redirect', (navevent, url) => {
-    if (!url.startsWith('file://')) {
+    if (url !== indexUrl) {
       navevent.preventDefault();
     }
   });