Skip to content

Commit

Permalink
fix: use correct logic for URI check (#8)
Browse files Browse the repository at this point in the history 
* Fix logic for URI check

PATH_INFO is specific to Apache, so this code fails if you use any other webserver
https://httpd.apache.org/docs/2.4/mod/core.html#acceptpathinfo

* refactor: fix tests

---------

Co-authored-by: Gao Sun <[email protected]>
  • Loading branch information
@mikedamm @gao-sun
mikedamm and gao-sun authored Apr 27, 2024
1 parent d5a6fe6 commit bfbfe74
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion src/LogtoClient.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ public function handleSignInCallback(): void
// Some loose checks
if (
parse_url($signInSession->redirectUri, PHP_URL_HOST) !== ($_SERVER['SERVER_NAME'] ?? null) ||
parse_url($signInSession->redirectUri, PHP_URL_PATH) !== ($_SERVER['PATH_INFO'] ?? null)
parse_url($signInSession->redirectUri, PHP_URL_PATH) !== parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)
) {
throw new LogtoException('The redirect URI in the sign-in session does not match the current request.');
}
Expand Down
8 changes: 4 additions & 4 deletions tests/LogtoClientTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ function test_handleSignInCallback_sessionNotFound()
function test_handleSignInCallback_pathDoesNotMatch()
{
$_SERVER['SERVER_NAME'] = 'localhost';
$_SERVER['PATH_INFO'] = '/foo';
$_SERVER['REQUEST_URI'] = '/foo';
$client = $this->getInstance();
$client->storage->set(
StorageKey::signInSession,
Expand All @@ -166,7 +166,7 @@ function test_handleSignInCallback_pathDoesNotMatch()
function test_handleSignInCallback_stateDoesNotMatch()
{
$_SERVER['SERVER_NAME'] = 'redirect_uri';
$_SERVER['PATH_INFO'] = '/some_path';
$_SERVER['REQUEST_URI'] = '/some_path';
$_SERVER['QUERY_STRING'] = null;
$client = $this->getInstance();
$client->storage->set(
Expand All @@ -181,7 +181,7 @@ function test_handleSignInCallback_stateDoesNotMatch()
function test_handleSignInCallback_codeNotFound()
{
$_SERVER['SERVER_NAME'] = 'redirect_uri';
$_SERVER['PATH_INFO'] = '/some_path';
$_SERVER['REQUEST_URI'] = '/some_path';
$_SERVER['QUERY_STRING'] = 'state=state';
$client = $this->getInstance();
$client->storage->set(
Expand All @@ -196,7 +196,7 @@ function test_handleSignInCallback_codeNotFound()
function test_handleSignInCallback()
{
$_SERVER['SERVER_NAME'] = 'redirect_uri';
$_SERVER['PATH_INFO'] = '/some_path';
$_SERVER['REQUEST_URI'] = '/some_path';
$_SERVER['QUERY_STRING'] = 'state=state&code=code';
$tokenResponse = new TokenResponse(
access_token: 'access_token',
Expand Down

0 comments on commit bfbfe74

Please sign in to comment.