search

damienbod / angular-auth-oidc-client

npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow
https://www.npmjs.com/package/angular-auth-oidc-client
MIT License
1.16k stars 435 forks source link

[Bug]: Potential Infinite IFrame Creation When 'checkSessionIframe' Is undefined #1975

Open arlllk opened 5 months ago

arlllk commented 5 months ago

Version

17.1.0+

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

When 'checkSessionIframe' is not present in the OpenID configuration, the library appears to create a recursive iframe structure(myiFrameForCheckSession). This results in the application repeatedly initializing itself within nested iframes.

Steps to reproduce the behavior

- Configure an OpenID Connect provider without specifying 'checkSessionIframe' in the '.well-known/openid-configuration'.
 - Start the app
 - Observe the continuous creation of nested iframes

A clear and concise description of what you expected to happen.

The library should handle cases where 'checkSessionIframe' is not defined gracefully, without creating an infinite loop of iframes.

Additional context

This issue appears to have been introduced with commit 367448f1b3c9d33206b01a4808ab76a2d6c3017f here, The change seems to have moved an 'if' expression that previously checked if 'checkSessionIframe' was undefined or null before setting the iframe location.

ZeroZeroOne-dev commented 1 month ago

Bump. we're currently running into this issue.

FabianGosebrink commented 1 month ago

Yep, nice catch. The if is truthy, but it is still running further also with a falsy checkSessionIframe. Will fix that after the weekend.

FabianGosebrink commented 1 month ago

@arlllk Added an early return to prevent this case you mentioned. Does that fit your needs?

arlllk commented 1 month ago

Yes, that PR fixes the issue

ZeroZeroOne-dev commented 1 week ago

Will this fix be released soon?