Reject callback URLs with a different protocol

textbook · textbook · commit fd628bb345a2 · 2021-08-13T11:07:55.000+01:00
diff --git a/src/routes/authorize.ts b/src/routes/authorize.ts
@@ -88,6 +88,7 @@ export const validateRedirect = (
 	const callback = new URL(callbackUrl);
 	return (
 		redirect.host === callback.host
+		&& redirect.protocol == callback.protocol
 		&& redirect.port === callback.port
 		&& redirect.pathname.startsWith(callback.pathname)
 	);
diff --git a/tests/authorize.spec.ts b/tests/authorize.spec.ts
@@ -23,6 +23,7 @@ describe("validateRedirect function", () => {
 		"http://example.com:8080/path",
 		"http://oauth.example.com:8080/path",
 		"http://example.org",
+		"https://example.com/path",
 	].forEach((invalidRedirect) => {
 		it(`should reject ${invalidRedirect}`, () => {
 			expect(validateRedirect(invalidRedirect, callback)).toBe(false);
