[Bug]: App crash when adding Basic Auth to server.url in Capacitor 6.0

ionic-team / capacitor

Build cross-platform Native Progressive Web Apps for iOS, Android, and the Web ⚡️

https://capacitorjs.com

MIT License

11.43k stars 976 forks source link

[Bug]: App crash when adding Basic Auth to server.url in Capacitor 6.0 #7327

Open patrik-skilling opened 3 months ago

patrik-skilling commented 3 months ago

Capacitor Version

💊   Capacitor Doctor  💊 

Latest Dependencies:

  @capacitor/cli: 5.7.2
  @capacitor/core: 5.7.2
  @capacitor/android: 5.7.2
  @capacitor/ios: 5.7.2

Installed Dependencies:

  @capacitor/ios: 6.0.0-rc.0
  @capacitor/cli: 6.0.0-rc.0
  @capacitor/android: 6.0.0-rc.0
  @capacitor/core: 6.0.0-rc.0

[success] Android looking great! 👌

Other API Details

No response

Platforms Affected

[ ] iOS
[X] Android
[ ] Web

Current Behavior

When adding Basic Auth to server.url app crash and you get an stacktrace that says IllegalArgumentException: allowedOriginRules https://{BasicAuth}/{Domain} is invalid. I know this works well in Capacitor 5.0 with previous versions.

See screenshot

Expected Behavior

App should load when server url includes Basic Auth. If it's intended that Basic Auth will not be allowed please respond with reason for the change.

Project Reproduction

https://github.com/patrik-skilling/public-capacitor-6-basic-auth-demo

Additional Information

No response

patrik-skilling commented 3 months ago

I am guessing you also want to remove the Basic Auth string from the Uri before loading the WebView. Or rewrite the allowedOrigin to look at Location or similar instead.

    private void loadWebView() {
        final boolean html5mode = this.config.isHTML5Mode();
        // Start the local web server
        JSInjector injector = getJSInjector();
        if (WebViewFeature.isFeatureSupported(WebViewFeature.DOCUMENT_START_SCRIPT)) {
            WebViewCompat.addDocumentStartJavaScript(webView, injector.getScriptString(), Collections.singleton(appUrl));
            String allowedOrigin = appUrl;
            Uri appUri = Uri.parse(appUrl);
            if (appUri.getPath() != null) {
                // Remove paths in uri
                allowedOrigin = appUri.toString().replace(appUri.getPath(), "");
                // Remove Basic Auth string (pseudo code)
                allowedOrigin = appUri.toString().replace(appUri['Basic Auth'], "");
            }
            WebViewCompat.addDocumentStartJavaScript(webView, injector.getScriptString(), Collections.singleton(allowedOrigin));
            injector = null;
        }

patrik-skilling commented 3 months ago

Here is the code fix I made to solve it locally:

private void loadWebView() {
    final boolean html5mode = this.config.isHTML5Mode();

    // Start the local web server
    JSInjector injector = getJSInjector();
    if (WebViewFeature.isFeatureSupported(WebViewFeature.DOCUMENT_START_SCRIPT)) {
        Uri appUri = Uri.parse(appUrl);
        String scheme = appUri.getScheme() + "://";
        String host = appUri.getHost(); 
        String allowedOrigin = scheme + host;
        WebViewCompat.addDocumentStartJavaScript(webView, injector.getScriptString(), Collections.singleton(allowedOrigin));
        injector = null;
    }

ionitron-bot[bot] commented 3 days ago

This issue has been labeled as type: bug. This label is added to issues that that have been reproduced and are being tracked in our internal issue tracker.