diff options
| author | Earl Warren <109468362+earl-warren@users.noreply.github.com> | 2023-11-29 02:37:12 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-29 01:37:12 +0000 |
| commit | 8b45a4d3668b433eaca68c1f06f40181a9fb1e9b (patch) | |
| tree | ed78ecc7299a48e6306b1728aa35fec464d2794e | |
| parent | cb8298b7178f5dde302604bfe34c658b725f16f8 (diff) | |
| download | gitea-8b45a4d3668b433eaca68c1f06f40181a9fb1e9b.tar.gz gitea-8b45a4d3668b433eaca68c1f06f40181a9fb1e9b.zip | |
Use appSubUrl for OAuth2 callback URL tip (#28266)
- When crafting the OAuth2 callbackURL take into account `appSubUrl`,
which is quite safe given that its strictly formatted.
- No integration testing as this is all done in Javascript.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1795
(cherry picked from commit 27cb6b7956136f87aa78067d9adb5a4c4ce28a24)
Co-authored-by: Gusted <postmaster@gusted.xyz>
| -rw-r--r-- | web_src/js/features/admin/common.js | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js index 250608069b..044976ea7b 100644 --- a/web_src/js/features/admin/common.js +++ b/web_src/js/features/admin/common.js @@ -2,7 +2,7 @@ import $ from 'jquery'; import {checkAppUrl} from '../common-global.js'; import {hideElem, showElem, toggleElem} from '../../utils/dom.js'; -const {csrfToken} = window.config; +const {csrfToken, appSubUrl} = window.config; export function initAdminCommon() { if ($('.page-content.admin').length === 0) { @@ -172,7 +172,8 @@ export function initAdminCommon() { if ($('.admin.authentication').length > 0) { $('#auth_name').on('input', function () { - $('#oauth2-callback-url').text(`${window.location.origin}/user/oauth2/${encodeURIComponent($(this).val())}/callback`); + // appSubUrl is either empty or is a path that starts with `/` and doesn't have a trailing slash. + $('#oauth2-callback-url').text(`${window.location.origin}${appSubUrl}/user/oauth2/${encodeURIComponent($(this).val())}/callback`); }).trigger('input'); } |