Added changes from @nicolashenry out of #9248

dev-helpers/oauth2-redirect.html

@@ -1,15 +1,13 @@
 <!doctype html>
 <html lang="en-US">
 <body>
-</body>
-</html>
 <script>
     'use strict';
     function run () {
-        var oauth2 = window.opener.swaggerUIRedirectOauth2;
-        var sentState = oauth2.state;
-        var redirectUrl = oauth2.redirectUrl;
-        var isValid, qp, arr;
+        var opener = window.opener;
+        var oauth2 = opener ? opener.swaggerUIRedirectOauth2 : undefined;
+
+        var qp, arr;
 
         if (/code|token|error/.test(window.location.hash)) {
             qp = window.location.hash.substring(1).replace('?', '&');
@@ -25,44 +23,13 @@
                 }
         ) : {}
 
-        isValid = qp.state === sentState
-
-        if ((
-          oauth2.auth.schema.get("flow") === "accessCode" ||
-          oauth2.auth.schema.get("flow") === "authorizationCode" ||
-          oauth2.auth.schema.get("flow") === "authorization_code"
-        ) && !oauth2.auth.code) {
-            if (!isValid) {
-                oauth2.errCb({
-                    authId: oauth2.auth.name,
-                    source: "auth",
-                    level: "warning",
-                    message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
-                });
-            }
-
-            if (qp.code) {
-                delete oauth2.state;
-                oauth2.auth.code = qp.code;
-                oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
-            } else {
-                let oauthErrorMsg
-                if (qp.error) {
-                    oauthErrorMsg = "["+qp.error+"]: " +
-                        (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
-                        (qp.error_uri ? "More info: "+qp.error_uri : "");
-                }
-
-                oauth2.errCb({
-                    authId: oauth2.auth.name,
-                    source: "auth",
-                    level: "error",
-                    message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
-                });
-            }
+        if (oauth2) {
+            oauth2.handleAuth(qp);
         } else {
-            oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl});
+            var oauth2Channel = new BroadcastChannel("oauth2_channel");
+            oauth2Channel.postMessage(qp);
         }
+
         window.close();
     }
 
@@ -74,3 +41,5 @@
       });
     }
 </script>
+</body>
+</html>

package.json

@@ -130,6 +130,7 @@
     "babel-plugin-module-resolver": "=5.0.2",
     "babel-plugin-transform-react-remove-prop-types": "=0.4.24",
     "body-parser": "^1.19.0",
+    "broadcastchannel-polyfill": "=1.0.1",
     "buffer": "^6.0.3",
     "cheerio": "=1.0.0",
     "cors": "^2.8.5",

src/core/oauth2-authorize.js

@@ -127,11 +127,53 @@ export default function authorize ( { auth, authActions, errActions, configs, au
     callback = authActions.authorizeAccessCodeWithFormParams
   }
 
-  authActions.authPopup(url, {
+  const oauth2 = {
     auth: auth,
     state: state,
     redirectUrl: redirectUrl,
     callback: callback,
-    errCb: errActions.newAuthErr
-  })
+    errCb: errActions.newAuthErr,
+    handleAuth: (qp) => {
+      const isValid = qp.state === oauth2.state
+
+      if ((
+        oauth2.auth.schema.get("flow") === "accessCode" ||
+        oauth2.auth.schema.get("flow") === "authorizationCode" ||
+        oauth2.auth.schema.get("flow") === "authorization_code"
+      ) && !oauth2.auth.code) {
+          if (!isValid) {
+              oauth2.errCb({
+                  authId: oauth2.auth.name,
+                  source: "auth",
+                  level: "warning",
+                  message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+              })
+          }
+
+          if (qp.code) {
+              delete oauth2.state
+              oauth2.auth.code = qp.code
+              oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl})
+          } else {
+              let oauthErrorMsg
+              if (qp.error) {
+                  oauthErrorMsg = "["+qp.error+"]: " +
+                      (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                      (qp.error_uri ? "More info: "+qp.error_uri : "")
+              }
+
+              oauth2.errCb({
+                  authId: oauth2.auth.name,
+                  source: "auth",
+                  level: "error",
+                  message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+              })
+          }
+      } else {
+          oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl})
+      }
+    }
+  }
+
+  authActions.authPopup(url, oauth2)
 }

src/core/plugins/auth/actions.js

@@ -49,6 +49,10 @@ export const preAuthorizeImplicit = (payload) => ( { authActions, errActions } )
 
   // remove oauth2 property from window after redirect from authentication
   delete win.swaggerUIRedirectOauth2
+  if (win.oauth2Channel) {
+    win.oauth2Channel.close()
+    delete win.oauth2Channel
+  }
 
   if ( flow !== "accessCode" && !isValid ) {
     errActions.newAuthErr( {
@@ -282,5 +286,18 @@ export const persistAuthorizationIfNeeded = () => ( { authSelectors, getConfigs
 export const authPopup = (url, swaggerUIRedirectOauth2) => ( ) => {
   win.swaggerUIRedirectOauth2 = swaggerUIRedirectOauth2
 
+  if (win.oauth2Channel) {
+    win.oauth2Channel.close()
+  }
+  const oauth2Channel = new BroadcastChannel("oauth2_channel")
+  oauth2Channel.addEventListener("message", event => {
+    const data = event.data
+    const state = data ? data.state : undefined
+    if (state === swaggerUIRedirectOauth2.state) {
+      swaggerUIRedirectOauth2.handleAuth(data)
+    }
+  })
+  win.oauth2Channel = oauth2Channel
+
   win.open(url)
 }

test/unit/core/plugins/auth/actions.js

@@ -1,3 +1,5 @@
+import { BroadcastChannel } from "broadcastchannel-polyfill"
+import { MessageChannel } from "node:worker_threads"
 import { Map } from "immutable"
 import win from "core/window"
 import {
@@ -10,6 +12,9 @@ import {
 } from "core/plugins/auth/actions"
 import {authorizeAccessCodeWithBasicAuthentication, authPopup} from "../../../../../src/core/plugins/auth/actions"
 
+// broadcastchannel-polyfill expects MessageChannel to exist
+global.MessageChannel = MessageChannel
+
 describe("auth plugin - actions", () => {
 
   describe("authorizeRequest", () => {