mirror of
https://github.com/better-auth/better-auth.git
synced 2026-05-27 01:16:55 -05:00
Merge branch 'main' into v1.2
This commit is contained in:
Bereket Engida
@@ -234,7 +234,7 @@ export const auth = betterAuth({
|
||||
secondaryStorage: {
|
||||
get: async (key) => {
|
||||
const value = await redis.get(key);
|
||||
return value ? value : null;
|
||||
return value ? JSON.stringify(value) : null;
|
||||
},
|
||||
set: async (key, value, ttl) => {
|
||||
if (ttl) await redis.set(key, value, { EX: ttl });
|
||||
|
||||
@@ -187,6 +187,24 @@ describe("Origin Check", async (it) => {
|
||||
expect(res.data?.user).toBeDefined();
|
||||
});
|
||||
|
||||
it("shouldn't work with callback url with double slash", async (ctx) => {
|
||||
const client = createAuthClient({
|
||||
baseURL: "http://localhost:3000",
|
||||
fetchOptions: {
|
||||
customFetchImpl,
|
||||
headers: {
|
||||
origin: "https://localhost:3000",
|
||||
},
|
||||
},
|
||||
});
|
||||
const res = await client.signIn.email({
|
||||
email: testUser.email,
|
||||
password: testUser.password,
|
||||
callbackURL: "//evil.com",
|
||||
});
|
||||
expect(res.error?.status).toBe(403);
|
||||
});
|
||||
|
||||
it("should work with GET requests", async (ctx) => {
|
||||
const client = createAuthClient({
|
||||
baseURL: "https://sub-domain.my-site.com",
|
||||
|
||||
@@ -47,7 +47,10 @@ export const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
|
||||
const isTrustedOrigin = trustedOrigins.some(
|
||||
(origin) =>
|
||||
matchesPattern(url, origin) ||
|
||||
(url?.startsWith("/") && label !== "origin" && !url.includes(":")),
|
||||
(url?.startsWith("/") &&
|
||||
label !== "origin" &&
|
||||
!url.includes(":") &&
|
||||
!url.includes("//")),
|
||||
);
|
||||
if (!isTrustedOrigin) {
|
||||
ctx.context.logger.error(`Invalid ${label}: ${url}`);
|
||||
@@ -102,7 +105,10 @@ export const originCheck = (
|
||||
const isTrustedOrigin = trustedOrigins.some(
|
||||
(origin) =>
|
||||
matchesPattern(url, origin) ||
|
||||
(url?.startsWith("/") && label !== "origin" && !url.includes(":")),
|
||||
(url?.startsWith("/") &&
|
||||
label !== "origin" &&
|
||||
!url.includes(":") &&
|
||||
!url.includes("//")),
|
||||
);
|
||||
if (!isTrustedOrigin) {
|
||||
ctx.context.logger.error(`Invalid ${label}: ${url}`);
|
||||
|
||||
@@ -118,7 +118,10 @@ export const getSession = <Option extends BetterAuthOptions>() =>
|
||||
if (sessionDataPayload) {
|
||||
const isValid = await createHMAC("SHA-256", "base64urlnopad").verify(
|
||||
ctx.context.secret,
|
||||
JSON.stringify(sessionDataPayload.session),
|
||||
JSON.stringify({
|
||||
...sessionDataPayload.session,
|
||||
expiresAt: sessionDataPayload.expiresAt,
|
||||
}),
|
||||
sessionDataPayload.signature,
|
||||
);
|
||||
if (!isValid) {
|
||||
|
||||
@@ -113,7 +113,13 @@ export async function setCookieCache(
|
||||
).getTime(),
|
||||
signature: await createHMAC("SHA-256", "base64urlnopad").sign(
|
||||
ctx.context.secret,
|
||||
JSON.stringify(session),
|
||||
JSON.stringify({
|
||||
...session,
|
||||
expiresAt: getDate(
|
||||
ctx.context.authCookies.sessionData.options.maxAge || 60,
|
||||
"sec",
|
||||
).getTime(),
|
||||
}),
|
||||
),
|
||||
}),
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user