Hugging Face's logo

Spaces:
evijit
/
pluralchat
Sleeping

App Files Community
1
Guido Muscioni nsarrazin commited on
Commit
0fcb8db
·
unverified ·
1 Parent(s): 3015bd4

fix: parse ISS if returned in OIDC flow (#1162)

Browse files

fix: parse iss and pass when available

Co-authored-by: Nathan Sarrazin <sarrazin.nathan@gmail.com>

Files changed (2) hide show
  1. src/lib/server/auth.ts +6 -2
  2. src/routes/login/callback/+page.server.ts +7 -2
src/lib/server/auth.ts CHANGED
@@ -110,9 +110,13 @@ export async function getOIDCAuthorizationUrl(
110
  });
111
  }
112
 
113
- export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> {
 
 
 
 
114
  const client = await getOIDCClient(settings);
115
- const token = await client.callback(settings.redirectURI, { code });
116
  const userData = await client.userinfo(token);
117
 
118
  return { token, userData };
 
110
  });
111
  }
112
 
113
+ export async function getOIDCUserData(
114
+ settings: OIDCSettings,
115
+ code: string,
116
+ iss?: string
117
+ ): Promise<OIDCUserInfo> {
118
  const client = await getOIDCClient(settings);
119
+ const token = await client.callback(settings.redirectURI, { code, iss });
120
  const userData = await client.userinfo(token);
121
 
122
  return { token, userData };
src/routes/login/callback/+page.server.ts CHANGED
@@ -24,10 +24,11 @@ export async function load({ url, locals, cookies, request, getClientAddress })
24
  throw error(400, errorName + (errorDescription ? ": " + errorDescription : ""));
25
  }
26
 
27
- const { code, state } = z
28
  .object({
29
  code: z.string(),
30
  state: z.string(),
 
31
  })
32
  .parse(Object.fromEntries(url.searchParams.entries()));
33
 
@@ -39,7 +40,11 @@ export async function load({ url, locals, cookies, request, getClientAddress })
39
  throw error(403, "Invalid or expired CSRF token");
40
  }
41
 
42
- const { userData } = await getOIDCUserData({ redirectURI: validatedToken.redirectUrl }, code);
 
 
 
 
43
 
44
  // Filter by allowed user emails
45
  if (allowedUserEmails.length > 0) {
 
24
  throw error(400, errorName + (errorDescription ? ": " + errorDescription : ""));
25
  }
26
 
27
+ const { code, state, iss } = z
28
  .object({
29
  code: z.string(),
30
  state: z.string(),
31
+ iss: z.string().optional(),
32
  })
33
  .parse(Object.fromEntries(url.searchParams.entries()));
34
 
 
40
  throw error(403, "Invalid or expired CSRF token");
41
  }
42
 
43
+ const { userData } = await getOIDCUserData(
44
+ { redirectURI: validatedToken.redirectUrl },
45
+ code,
46
+ iss
47
+ );
48
 
49
  // Filter by allowed user emails
50
  if (allowedUserEmails.length > 0) {