search

MrSwitch / hello.js

A Javascript RESTFUL API library for connecting with OAuth2 services, such as Google+ API, Facebook Graph and Windows Live Connect
https://adodson.com/hello.js/
MIT License
4.63k stars 550 forks source link

Unable to parse url if it contains a dot #520

Open rolandjitsu opened 7 years ago

rolandjitsu commented 7 years ago

I looks like the package has some issues decoding urls that contain a dot (.). According to RFC3986, that's a valid character.

The error I get is Could not decode state parameter. And this happens if the url contains search params with?some_key=0.1.

MrSwitch commented 7 years ago

Hmmm, so this comes from https://github.com/MrSwitch/hello.js/blob/v1.15.1/src/hello.js#L1332

Can you share the value of p.state before decodeURIComponent and JSON.parse - which throws the exception.

Thanks

rolandjitsu commented 7 years ago

This is p before that:

{
access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImJicC1vaWRjIn0.eyJleHAiOjE1MDY5NjA1ODgsInN1YiI6IjMwNDA3MCIsImF1ZCI6WyI1NjA0YWYxYy0xZTA3LTQ4MWQtOGIxMy03ODVlYTQ0MDE0YzUiXSwiaXNzIjoiaHR0cHM6XC9cL3NlcnZpY2VzLmh1bWFuYnJhaW5wcm9qZWN0LmV1XC9vaWRjXC8iLCJqdGkiOiI1MzJmMjA1NS1lNTJmLTQzZDItODQ0ZC05MGIyMDU3YWU5MDIiLCJpYXQiOjE1MDY5NDYxODgsImhicF9rZXkiOiJhOWQwYzdmYzAzOGUxYjAxMmEyMTFiYTMwNTk3NjBkNjMwMzdiZTNkIn0.GjSDFsXmfAiIPdsxyXYYK1Zq1zrSKXxUChURk0qOygTv7vD4FnTmC4l-j3MIcuDq86hdOs3ySGZyFyW-vi5MqRiYOxXFh_WBempKVulcXHm-X2I8TOlPahYwNRLxk9ahrc-A5jyGwXVgOH372nSwS1Dd2R-604JnDIg0hO4i8WU"
density: "0.1"}"
expires_in: "14399"
id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImJicC1vaWRjIn0.eyJleHAiOjE1MDY5NDY3ODgsInN1YiI6IjMwNDA3MCIsImF0X2hhc2giOiJ5emM5SnpacWtFYUtDRzBlak9EbjV3IiwiYXVkIjpbIjU2MDRhZjFjLTFlMDctNDgxZC04YjEzLTc4NWVhNDQwMTRjNSJdLCJpc3MiOiJodHRwczpcL1wvc2VydmljZXMuaHVtYW5icmFpbnByb2plY3QuZXVcL29pZGNcLyIsImp0aSI6Ijg5YTA4ZTIwLTY1YTUtNDE3Yy1hNDVmLWRkYjA5Yjk4M2M1YSIsImlhdCI6MTUwNjk0NjE4OCwia2lkIjoiYmJwLW9pZGMifQ.UYvkWnfJ4bSzGuR3trQhF-opFlOsCLLpK_LCLsqta2QCcydvfCoVmmRpRYPK1zQYoBqQb3oq5QJBkjuhdBQbgp5snMFF_cJ8sNsJMmHA_R3TvIFyCUymvs81j9vhQJySkVeREK_zdmV6E8PNlpEziLXUHjZM0R4aSngEhw9_vFY"
morphology_folder: "L2dwZnMvkvZW50aXRpZXMvbW9ycGhvbG9naWVzLzIwMTcuMDEuMDU%3D"
mvd_file: "L2dwZnMvYmJwLmIzNzczNDZkMzY4NGI0M2U5NmMyYzhjLWNpcmN1aXQubXZkMw%3D%3D"
scope: "hbp.documents openid hbp.collab profile"
state: "{"client_id":"5604af1c-1e07-481d-8b13-785ea44014c5","network":"hbp","display":"page","callback":"_hellojs_51us82fq","state":"","redirect_uri":"http://localhost:4200/camera?morphology_folder=L2dwZnMvYmJwLmNzY3MuY2gvcHJvamVjdC9wcmbG9naWVzLzIwMTcuMDEuMDU%3D"
token_type: "Bearer"
use_auth: "true"
}

I think I can see an issue with density, there's a brace there.

rolandjitsu commented 7 years ago

@MrSwitch any news on this? I am also experiencing issues with a url such as:

http://localhost:4200/camera?morphology_folder=L2dwZnMvYm9qNTkvZMvbW9ycGhvbG9naWVzLzIwMTcuMDEuMDU%3D&mvd_file=L2dwZnMvYmJwLmNzY3MuY2gvcHJvNGI0M2U5NmMyYzhjLWNpcmN1aXQubXZkMw%3D%3D
MrSwitch commented 7 years ago

So the p.state value looks to be truncated by the Identity Provider

state: "{"client_id":"5604af1c-1e07-481d-8b13-785ea44014c5","network":"hbp","display":"page","callback":"_hellojs_51us82fq","state":"","redirect_uri":"http://localhost:4200/camera?morphology_folder=L2dwZnMvYmJwLmNzY3MuY2gvcHJvamVjdC9wcmbG9naWVzLzIwMTcuMDEuMDU%3D"

It starts with a { and should end with a }. Perhaps the character %3D in your Query Param morphology_folder is the culprit. Try defining the redirect_uri without querystrings like this if at all possible.

rolandjitsu commented 7 years ago

I will try it. But those characters come from url encoding (using encodeURIComponent()).

rolandjitsu commented 7 years ago

@MrSwitch I just tried it without any params at all and I sometimes still get the error. Do you think it's possible that oauth server messes up the state?

I will try to debug this, can you point me at the line where I should look at before the state goes through to the oauth server.