From 8b45a4d3668b433eaca68c1f06f40181a9fb1e9b Mon Sep 17 00:00:00 2001 From: Earl Warren <109468362+earl-warren@users.noreply.github.com> Date: Wed, 29 Nov 2023 02:37:12 +0100 Subject: [PATCH] Use appSubUrl for OAuth2 callback URL tip (#28266) - When crafting the OAuth2 callbackURL take into account `appSubUrl`, which is quite safe given that its strictly formatted. - No integration testing as this is all done in Javascript. - Resolves https://codeberg.org/forgejo/forgejo/issues/1795 (cherry picked from commit 27cb6b7956136f87aa78067d9adb5a4c4ce28a24) Co-authored-by: Gusted --- web_src/js/features/admin/common.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/web_src/js/features/admin/common.js b/web_src/js/features/admin/common.js index 250608069..044976ea7 100644 --- a/web_src/js/features/admin/common.js +++ b/web_src/js/features/admin/common.js @@ -2,7 +2,7 @@ import $ from 'jquery'; import {checkAppUrl} from '../common-global.js'; import {hideElem, showElem, toggleElem} from '../../utils/dom.js'; -const {csrfToken} = window.config; +const {csrfToken, appSubUrl} = window.config; export function initAdminCommon() { if ($('.page-content.admin').length === 0) { @@ -172,7 +172,8 @@ export function initAdminCommon() { if ($('.admin.authentication').length > 0) { $('#auth_name').on('input', function () { - $('#oauth2-callback-url').text(`${window.location.origin}/user/oauth2/${encodeURIComponent($(this).val())}/callback`); + // appSubUrl is either empty or is a path that starts with `/` and doesn't have a trailing slash. + $('#oauth2-callback-url').text(`${window.location.origin}${appSubUrl}/user/oauth2/${encodeURIComponent($(this).val())}/callback`); }).trigger('input'); }