Strict check for URL params (#336)

* Strict check for URL params

* Strict check for URL param - add tests

* Update projects/auth0-angular/src/lib/auth.service.ts

* Fix compilation

Co-authored-by: Frederik Prijck <[email protected]>
Co-authored-by: Frederik Prijck <[email protected]>

Author: sarveshbathija

projects/auth0-angular/src/lib/auth.service.spec.ts

@@ -509,6 +509,17 @@ describe('AuthService', () => {
         done();
       });
     });
+
+    it('should not process the callback when query string is a sub string', (done) => {
+      window.history.replaceState(null, '', '?abccode=123&xyzstate=456');
+
+      const localService = createService();
+
+      loaded(localService).subscribe(() => {
+        expect(auth0Client.handleRedirectCallback).not.toHaveBeenCalled();
+        done();
+      });
+    });
   });
 
   it('should call `loginWithRedirect`', async () => {

projects/auth0-angular/src/lib/auth.service.ts

@@ -367,12 +367,14 @@ export class AuthService<TAppState extends AppState = AppState>
 
   private shouldHandleCallback(): Observable<boolean> {
     return of(location.search).pipe(
-      map(
-        (search) =>
-          (search.includes('code=') || search.includes('error=')) &&
-          search.includes('state=') &&
+      map((search) => {
+        const searchParams = new URLSearchParams(search);
+        return (
+          (searchParams.has('code') || searchParams.has('error')) &&
+          searchParams.has('state') &&
           !this.configFactory.get().skipRedirectCallback
-      )
+        );
+      })
     );
   }
 }