-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add __enableImpersonation flag to enable impersonation again #689
Changes from 3 commits
912487d
604ba91
e109e8f
a04d90f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -182,8 +182,11 @@ WebAuth.prototype.validateAuthenticationResponse = function(options, parsedHash, | |
var state = parsedHash.state; | ||
var transaction = this.transactionManager.getStoredTransaction(state); | ||
var transactionState = options.state || (transaction && transaction.state) || null; | ||
|
||
var transactionStateMatchesState = transactionState === state; | ||
if (!state || !transactionStateMatchesState) { | ||
var shouldBypassStateChecking = !state && !transactionState && options.__enableImpersonation; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So if the user provides a value in that field (image you shared). Where does that end up being added, options.state (transaction state) or the request state? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the value from the screen will be inside |
||
|
||
if (!shouldBypassStateChecking && !transactionStateMatchesState) { | ||
return cb({ | ||
error: 'invalid_token', | ||
errorDescription: '`state` does not match.' | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this be
true
for both values ofnull
? e.g.null === null
->transactionStateMatchesState=true
?