Unverified Commit 6a8fea3e authored by Michelle Nguyen's avatar Michelle Nguyen Committed by Copybara
Browse files

Check origin for CLI auth redirect


Summary: Just to be extra sure, we should ensure that the CLI auth only sends the token to localhost or the Pixie cloud domain.

Test Plan: deploy to staging and run `px auth login`, update the redirect URI

Reviewers: vihang, philkuz, zasgar

Reviewed By: vihang
Signed-off-by: default avatarMichelle Nguyen <michellenguyen@pixielabs.ai>

Differential Revision: https://phab.corp.pixielabs.ai/D11357

GitOrigin-RevId: cf76052ba8e04eeda5e1029b0c45b589c8930e0d
parent d80f1516
Showing with 7 additions and 1 deletion
+7 -1
......@@ -265,6 +265,12 @@ export const AuthCallbackPage: React.FC = React.memo(() => {
const sendTokenToCLI = React.useCallback(async (accessToken: string, idToken: string, redirectURI: string) => {
try {
// Check the URL is from an accepted origin.
const parsedURL = new URL(redirectURI);
if (parsedURL.hostname != 'localhost') {
return false;
}
const response = await redirectGet(redirectURI, { accessToken });
return response.status === 200 && response.data === 'OK';
} catch (error) {
......@@ -299,7 +305,7 @@ export const AuthCallbackPage: React.FC = React.memo(() => {
return;
}
// Fallback to manual auth unless there is an actual authentication error.
if (config.err?.errorType !== 'auth') {
if (!config || config.err?.errorType !== 'auth') {
setConfig((c) => ({
...c,
mode: 'cli_token',
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment