Skip to content

OAuth: Allow the authorizeUrl to be a subpath of the callbackUrl #4889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

OAuth: Allow the authorizeUrl to be a subpath of the callbackUrl #4889

wants to merge 2 commits into from

Conversation

kekru
Copy link

@kekru kekru commented Jun 13, 2025
edited
Loading

Description

First of all: Thanks for this nice tool :)
This is a little bugfix, to allow an OAuth authorizeUrl to be a subpath of the callbackUrl.

We have the following scenario:

  • App = CallbackUrl running on https://apigateway-something.mycompany.dev
  • Keycloak = AuthorizeUrl running on https://apigateway-something.mycompany.dev/auth/realms/my-realm/protocol/openid-connect/auth

So the special case is here, that the authorizeUrl is a subpath of the callbackUrl.

In packages/bruno-electron/src/ipc/network/authorize-user-in-window.js -> window.webContents.on('did-navigate', ...) this causes the OAuth process to run window.close() to early. It directly closes, when opening authorizeUrl, because it thinks, authorizeUrl is already the callbackUrl.
In fact, the user does not even see the window, because it directly closes.

As we see here, authorizeUrl is called, then directly the tokenUrl. Normally there should be another call in between, which is the 302 redirect.

image

This PR fixes this, by adding another check, that ensures, that the window does not directly close, in that situation.

Contribution Checklist:

  • The pull request only addresses one issue or adds one feature.
  • The pull request does not introduce any breaking changes
  • I have added screenshots or gifs to help explain the change if applicable.
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request.

pietrygamat
pietrygamat suggested changes Jun 16, 2025
View reviewed changes
packages/bruno-electron/src/ipc/network/authorize-user-in-window.js Outdated
Comment on lines 4 to 13
const matchesCallbackUrl = (url, authorizeUrl, callbackUrl) => {
if (!url) {
return false;
}

if (url.href.startsWith(authorizeUrl.href)) {
return false;
}

return url.href.startsWith(callbackUrl.href);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are getting into specific scenarios, this breaks for:
Auth URL: https://apigateway.mycompany.dev/auth/realms/my-realm/protocol/openid-connect/auth
Redirect URL: https://apigateway.mycompany.dev/auth/realms/my-realm/protocol/openid-connect/auth-redirect

It does not seem necessary to include a third parameter in the method. How about just making the test a bit tighter - the normalized URL.origin and URL.pathName are expected to match exactly, only the URL.search part is allowed to match partially (OAuth params must be appended, so startsWith is ok):

const matchesCallbackUrl = (url, callbackUrl) => {
  return url 
           && url.origin === callbackUrl.origin
           && url.pathName === callbackUrl.pathName 
           && url.search.startsWith(callbackUrl.search);
}

To be extra pedantic, url.username and url.password might be checked as well, as they are not part of .origin.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your feedback, I updated the code.

I also added a "remove trailing slash from url.pathname", so that these already given test case still works:

{ url: 'https://callback.url/endpoint/?code=abcd', expected: true },

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me.

@kekru
OAuth: optimize checks for the callbackUrl
445c2f0 
Allow the authorizeUrl to be a subpath of the callbackUrl and callbackUrl to be subpath of the autorizeUrl

It now checks for exact matching. Only a trailing slash and additional query params are allowed to be matched as the callbackUrl.
@kekru kekru requested a review from pietrygamat June 23, 2025 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pietrygamat pietrygamat pietrygamat approved these changes

@helloanoop helloanoop Awaiting requested review from helloanoop helloanoop is a code owner

@maintainer-bruno maintainer-bruno Awaiting requested review from maintainer-bruno maintainer-bruno is a code owner

@lohit-bruno lohit-bruno Awaiting requested review from lohit-bruno lohit-bruno is a code owner

@naman-bruno naman-bruno Awaiting requested review from naman-bruno naman-bruno is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kekru @pietrygamat