marcel/zoraxy
1
0
Fork 0
mirror of https://github.com/tobychui/zoraxy.git synced 2025-06-21 06:53:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added experimental fix for #695

Browse Source 
Added prefix trim and location filter for oauth authrozied redirection
This commit is contained in:
Toby Chui 2025-06-16 21:21:50 +08:00
parent 2f40593daf
commit f276040ad0
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/mod/auth/sso/oauth2/oauth2.go
View File

@ -4,13 +4,14 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"errors" "errors"
"net/http"
"net/url"
"strings"
"golang.org/x/oauth2" "golang.org/x/oauth2"
"imuslab.com/zoraxy/mod/database" "imuslab.com/zoraxy/mod/database"
"imuslab.com/zoraxy/mod/info/logger" "imuslab.com/zoraxy/mod/info/logger"
"imuslab.com/zoraxy/mod/utils" "imuslab.com/zoraxy/mod/utils"
"net/http"
"net/url"
"strings"
) )
type OAuth2RouterOptions struct { type OAuth2RouterOptions struct {
@ -250,7 +251,19 @@ func (ar *OAuth2Router) HandleOAuth2Auth(w http.ResponseWriter, r *http.Request)
cookie.SameSite = http.SameSiteLaxMode cookie.SameSite = http.SameSiteLaxMode
} }
w.Header().Add("Set-Cookie", cookie.String()) w.Header().Add("Set-Cookie", cookie.String())
http.Redirect(w, r, state, http.StatusTemporaryRedirect)
//Fix for #695
location := strings.TrimPrefix(state, "/internal/")
//Check if the location starts with http:// or https://. if yes, this is full URL
decodedLocation, err := url.PathUnescape(location)
if err == nil && (strings.HasPrefix(decodedLocation, "http://") || strings.HasPrefix(decodedLocation, "https://")) {
//Redirect to the full URL
http.Redirect(w, r, decodedLocation, http.StatusTemporaryRedirect)
} else {
//Redirect to a relative path
http.Redirect(w, r, state, http.StatusTemporaryRedirect)
}
return errors.New("authorized") return errors.New("authorized")
} }
unauthorized := false unauthorized := false