If I call user-api-key/new with an auth_redirect already containing a query string (e.g. http://localhost:30120/auth-discourse?state=BASE64), I end up with a redirect URI along the likes of http://localhost:30120/auth-discourse?state=BASE64?payload=PAYLOAD - two query strings, and no & appending.
public_key = OpenSSL::PKey::RSA.new(params[:public_key])
@payload = Base64.encode64(public_key.public_encrypt(@payload))
if scopes.include?("one_time_password")
# encrypt one_time_password separately to bypass 128 chars encryption limit
otp_payload = one_time_password(public_key, current_user.username)
end
if params[:auth_redirect]
redirect_path = +"#{params[:auth_redirect]}?payload=#{CGI.escape(@payload)}"
redirect_path << "&oneTimePassword=#{CGI.escape(otp_payload)}" if scopes.include?("one_time_password")
redirect_to(redirect_path)
else
respond_to do |format|
format.html { render :show }
format.json do
instructions = I18n.t("user_api_key.instructions", application_name: @application_name)
render json: { payload: @payload, instructions: instructions }
end
end
This code might need to be changed to check if there’s already a query string in the URI, or perhaps use some URI builder?
1 个赞
eviltrout
2019 年7 月 22 日 13:41
2
It does seem like the assumption the code makes is that it doesn’t already contain any query parameters. We’d be open to a PR to fix this.
4 个赞
saurabhp
2019 年7 月 23 日 15:50
3
I have opened PR for this issue here:
master ← mrfinch:saurabh/uri-fix
merged 04:16PM - 23 Jul 19 UTC
https://meta.discourse.org/t/user-api-keys-payload-and-existing-query-string-lea… ds-to-a-double-question-mark/123617
3 个赞
saurabhp
2019 年7 月 24 日 02:37
4
PR has been merged. This topic can be closed
2 个赞
