Since the following commit:
https://github.com/discourse/discourse/commit/d8360b4c82ca34a5c570a4af28b628f68fb23908#diff-cafbd2eee0eb3198218bc6b0ef1c0fa0R4
a hardcoded list of allowed protocols has been added, ignoring what we have configured in the administration UI:
https://github.com/discourse/discourse/blob/d8360b4c82ca34a5c570a4af28b628f68fb23908/app/services/wildcard_url_checker.rb#L4
… leading to any attempt to create a new user API key with fivem://accept-auth
as redirect URI hitting a 403 without any information in /logs
or on the end user’s screen.
5 Likes
rishabh
December 31, 2019, 9:10am
3
Hi there,
Thanks for reporting this to us, we’ll get someone to look at it as soon as possible.
2 Likes
sam
(Sam Saffron)
January 2, 2020, 2:22am
11
Thanks for reporting this, we are looking at a fix so we auto whitelist fivem
if we notice it in the allowed_user_api_auth_redirects
list.
4 Likes
david
(David Taylor)
January 2, 2020, 11:51am
13
I opened a PR here:
https://github.com/discourse/discourse/pull/8651
We check the entire URL (including protocol) against the site setting list, so I don’t think there is any need for a specific whitelist.
8 Likes
david
(David Taylor)
January 2, 2020, 4:53pm
14
This is now merged. @blattersturm if you update to the latest version, the problem should be resolved.
7 Likes
david
(David Taylor)
Closed
January 6, 2020, 6:00pm
15
This topic was automatically closed after 4 days. New replies are no longer allowed.