groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-12-27 14:19:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #4635 from Vito0912/feat/OIDCfix

Browse source 
Fix Invalid callback URL - must be same-origin for NPM users
This commit is contained in:
advplyr 2025-09-02 18:18:52 -04:00 committed by GitHub
commit 7d048b7a50
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
server/auth/OidcAuthStrategy.js
View file

@ -527,7 +527,16 @@ class OidcAuthStrategy {
// For absolute URLs, ensure they point to the same origin
const callbackUrlObj = new URL(callbackUrl)
const currentProtocol = req.secure || req.get('x-forwarded-proto') === 'https' ? 'https' : 'http'
// NPM appends both http and https in x-forwarded-proto sometimes, so we need to check for both
const xfp = (req.get('x-forwarded-proto') || '').toLowerCase()
const currentProtocol =
req.secure ||
xfp
.split(',')
.map((s) => s.trim())
.includes('https')
? 'https'
: 'http'
const currentHost = req.get('host')
// Check if protocol and host match exactly