diff --git a/CHANGELOG.md b/CHANGELOG.md index c5c64dcb..da139c24 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ -## (WIP) v0.15.2 +## v0.15.2 - Fixed View query `SELECT DISTINCT` identifiers parsing ([#2349-5706019](https://github.com/pocketbase/pocketbase/discussions/2349#discussioncomment-5706019)). - Fixed View collection schema incorrectly resolving multiple aliased fields originating from the same field source ([#2349-5707675](https://github.com/pocketbase/pocketbase/discussions/2349#discussioncomment-5707675)). -- Added OAuth2 redirect page fallback message to notify the user to go back to the app in case the browser window is not auto closed. +- Added OAuth2 redirect fallback message to notify the user to go back to the app in case the browser window is not auto closed. ## v0.15.1 diff --git a/apis/record_auth.go b/apis/record_auth.go index 618b001b..f5425337 100644 --- a/apis/record_auth.go +++ b/apis/record_auth.go @@ -642,9 +642,13 @@ func (api *recordAuthApi) oauth2SubscriptionRedirect(c echo.Context) error { state := c.QueryParam("state") code := c.QueryParam("code") + if code == "" || state == "" { + return NewBadRequestError("Invalid OAuth2 redirect parameters.", nil) + } + client, err := api.app.SubscriptionsBroker().ClientById(state) if err != nil || client.IsDiscarded() || !client.HasSubscription(oauth2SubscriptionTopic) { - return NewNotFoundError("Missing or invalid oauth2 subscription client", err) + return NewNotFoundError("Missing or invalid OAuth2 subscription client.", err) } data := map[string]string{ @@ -654,7 +658,7 @@ func (api *recordAuthApi) oauth2SubscriptionRedirect(c echo.Context) error { encodedData, err := json.Marshal(data) if err != nil { - return NewBadRequestError("Failed to marshalize oauth2 redirect data", err) + return NewBadRequestError("Failed to marshalize OAuth2 redirect data.", err) } msg := subscriptions.Message{ diff --git a/apis/record_auth_test.go b/apis/record_auth_test.go index 060bccb5..ca9f5527 100644 --- a/apis/record_auth_test.go +++ b/apis/record_auth_test.go @@ -1175,21 +1175,28 @@ func TestRecordAuthOAuth2Redirect(t *testing.T) { { Name: "no state query param", Method: http.MethodGet, - Url: "/api/oauth2-redirect", - ExpectedStatus: 404, + Url: "/api/oauth2-redirect?code=123", + ExpectedStatus: 400, + ExpectedContent: []string{`"data":{}`}, + }, + { + Name: "no code query param", + Method: http.MethodGet, + Url: "/api/oauth2-redirect?state=" + c3.Id(), + ExpectedStatus: 400, ExpectedContent: []string{`"data":{}`}, }, { Name: "missing client", Method: http.MethodGet, - Url: "/api/oauth2-redirect?state=missing", + Url: "/api/oauth2-redirect?code=123&state=missing", ExpectedStatus: 404, ExpectedContent: []string{`"data":{}`}, }, { Name: "discarded client with @oauth2 subscription", Method: http.MethodGet, - Url: "/api/oauth2-redirect?state=" + c5.Id(), + Url: "/api/oauth2-redirect?code=123&state=" + c5.Id(), BeforeTestFunc: beforeTestFunc, ExpectedStatus: 404, ExpectedContent: []string{`"data":{}`}, @@ -1197,7 +1204,7 @@ func TestRecordAuthOAuth2Redirect(t *testing.T) { { Name: "client without @oauth2 subscription", Method: http.MethodGet, - Url: "/api/oauth2-redirect?state=" + c4.Id(), + Url: "/api/oauth2-redirect?code=123&state=" + c4.Id(), BeforeTestFunc: beforeTestFunc, ExpectedStatus: 404, ExpectedContent: []string{`"data":{}`}, @@ -1205,7 +1212,7 @@ func TestRecordAuthOAuth2Redirect(t *testing.T) { { Name: "client with @oauth2 subscription", Method: http.MethodGet, - Url: "/api/oauth2-redirect?state=" + c3.Id(), + Url: "/api/oauth2-redirect?code=123&state=" + c3.Id(), BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) { beforeTestFunc(t, app, e)