Open emo7874 opened 10 months ago
Can confirm this also breaks with the react-devtools extension installed.
This does look like a bug.
@damienbod This still appears to be an issue. Maybe we can have a configuration parameter to "only accept messages from redirect domain"?
I can add the Angular dev tools to the list of things that send objects to the parent window.
I have created a very basic fix for the time being (#1988), until a more proper way to handle invalid data is introduced.
I am not comfortable with posting pull requests, but I was hoping for something like this: const listener = (event: MessageEvent): void => { if (!event?.data || typeof event.data !== 'string') { this.cleanUp(listener, config); return; } this.loggerService.logDebug( config, 'Received message from popup with url ' + event.data + '. The configured redirect url is ' + config.redirectUrl ); if(!config.redirectUrl || (config.popoutMessageMatchRedirect && event.origin && config.redirectUrl.indexOf(event.origin) > -1)) { this.resultInternal$.next({ userClosed: false, receivedUrl: event.data }); this.cleanUp(listener, config); } else { this.loggerService.logError(config, 'Skipped invalid origin: ' + event.origin); } }; where the code checks the origin to match the redirectUrl, and enforces the result based on the new parameter : popoutMessageMatchRedirect
What Version of the library are you using? 16.0.0
Question I'm not sure if this is considered a bug or not. Using authorizeWithPopUp to start authentication. Customer uses Okta SSO with an additional layer of security with MFA where it sends the code to their email. Once they press send code, the popup window goes away and they are not authorized.
Here's why this is happening.
We're using a custom redirect page in our app.
In the popup.service.ts there is an openPopUp method with the below code. It registers a listener for any messages. Okta was sending a message when the MFA process was initiated which triggered the cleanUp() method. This listener should only care about messages sent from my custom redirect page and should not care about direct Okta messages. Inside the listener, I had to ignore any messages not from my redirect domain. This fixed the issue.
Is this a bug or is this a configuration I don't know about?