feat(clerk-js,types): Validate query param redirect urls with the allowedRedirectOrigins prop#1096
Merged
nikosdouvlis merged 7 commits intoMay 11, 2023
Conversation
desiprisg
force-pushed
the
george/js-268-whitelist-redirections-to-prevent-open
branch
2 times, most recently
from
April 27, 2023 07:54
06a4071 to
40f7e8a
Compare
desiprisg
force-pushed
the
george/js-268-whitelist-redirections-to-prevent-open
branch
4 times, most recently
from
April 28, 2023 12:19
a42831d to
01d06c0
Compare
desiprisg
marked this pull request as ready for review
April 28, 2023 12:21
dimkl
reviewed
Apr 28, 2023
| const secondaryQueryParamRedirectUrl = | ||
| accessRedirectUrl && typeof queryParams?.redirect_url === 'string' ? queryParams.redirect_url : null; | ||
|
|
||
| let queryParamUrl: string | null | undefined = primaryQueryParamRedirectUrl || secondaryQueryParamRedirectUrl; |
Contributor
There was a problem hiding this comment.
❓ could we reduce the potential values of queryParamUrl to string | undefined by simplifying the types of the values used to calculate it ?
…fault list fix(clerk-js): Fix allowedRedirectOrigins default patterns
nikosdouvlis
force-pushed
the
george/js-268-whitelist-redirections-to-prevent-open
branch
from
May 9, 2023 08:04
01d06c0 to
db4afe8
Compare
nikosdouvlis
force-pushed
the
george/js-268-whitelist-redirections-to-prevent-open
branch
from
May 9, 2023 14:11
424eabe to
fcc9f29
Compare
…ent-open # Conflicts: # packages/types/src/clerk.ts
nikosdouvlis
deleted the
george/js-268-whitelist-redirections-to-prevent-open
branch
May 11, 2023 11:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of change
Packages affected
@clerk/clerk-js@clerk/clerk-react@clerk/nextjs@clerk/remix@clerk/types@clerk/themes@clerk/localizations@clerk/clerk-expo@clerk/backend@clerk/clerk-sdk-node@clerk/shared@clerk/fastify@clerk/chrome-extensiongatsby-plugin-clerkbuild/tooling/choreDescription
npm testruns as expected.npm run buildruns as expected.The
allowedRedirectOriginsprop has been added to theClerkProvider. Using this prop, the developer can limit the urls that can be used for redirects via query parameters. If an invalid redirect url is extracted, then it will be ignored and a warning will be printed in the console. The default allowed urls are:httpsprotocol where the domain matches, or is a subdomain of, the eTLD+1.A couple of utils have been added to implement this validation. This takes place inside the
pickRedirectionProputil.