chore: fix tests

oglassdev · Oct 14, 2024 · 584bce0 · 584bce0
1 parent b742149
commit 584bce0
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 23 deletions.
diff --git a/packages/better-auth/src/api/middlewares/redirect.ts b/packages/better-auth/src/api/middlewares/redirect.ts
@@ -32,18 +32,17 @@ export const redirectURLMiddleware = createAuthMiddleware(async (ctx) => {
 				message: "Invalid callback URL",
 			});
 		}
-	} else {
-		if (currentURL !== ctx.context.baseURL) {
-			const currentURLOrigin = new URL(currentURL).origin;
-			if (!trustedOrigins.includes(currentURLOrigin)) {
-				logger.error("Invalid current URL", {
-					currentURL,
-					trustedOrigins,
-				});
-				throw new APIError("FORBIDDEN", {
-					message: "Invalid callback URL",
-				});
-			}
+	}
+	if (currentURL !== ctx.context.baseURL) {
+		const currentURLOrigin = new URL(currentURL).origin;
+		if (!trustedOrigins.includes(currentURLOrigin)) {
+			logger.error("Invalid current URL", {
+				currentURL,
+				trustedOrigins,
+			});
+			throw new APIError("FORBIDDEN", {
+				message: "Invalid callback URL",
+			});
 		}
 	}
 });
diff --git a/packages/better-auth/src/api/routes/sign-in.ts b/packages/better-auth/src/api/routes/sign-in.ts
@@ -53,21 +53,11 @@ export const signInOAuth = createAuthEndpoint(
 		const currentURL = c.query?.currentURL
 			? new URL(c.query?.currentURL)
 			: null;
-		const trustedOrigins = [
-			c.context.baseURL,
-			...(c.context.options.trustedOrigins || []),
-		];
+
 		const callbackURL = c.body.callbackURL?.startsWith("http")
 			? c.body.callbackURL
 			: `${currentURL?.origin}${c.body.callbackURL || ""}`;
 
-		const callbackOrigin = new URL(callbackURL).origin;
-		if (!trustedOrigins.includes(callbackOrigin)) {
-			throw new APIError("UNAUTHORIZED", {
-				message: "Invalid callback URL",
-			});
-		}
-
 		const state = generateState(
 			callbackURL || currentURL?.origin || c.context.baseURL,
 			c.query?.currentURL,

diff --git a/packages/better-auth/src/social-providers/providers.test.ts b/packages/better-auth/src/social-providers/providers.test.ts
@@ -79,6 +79,7 @@ describe("Social Providers", async () => {
 				},
 			},
 		);
+
 		expect(signInRes.data).toMatchObject({
 			url: expect.stringContaining("google.com"),
 			state: expect.any(String),
@@ -108,4 +109,26 @@ describe("Social Providers", async () => {
 			},
 		});
 	});
+
+	it("should be protected from callback URL attacks", async () => {
+		const signInRes = await client.signIn.social(
+			{
+				provider: "google",
+				callbackURL: "https://evil.com/callback",
+			},
+			{
+				onSuccess(context) {
+					const cookies = parseSetCookieHeader(
+						context.response.headers.get("set-cookie") || "",
+					);
+					headers.set(
+						"cookie",
+						`better-auth.state=${cookies.get("better-auth.state")?.value}`,
+					);
+				},
+			},
+		);
+		expect(signInRes.error?.status).toBe(403);
+		expect(signInRes.error?.message).toBe("Invalid callback URL");
+	});
 });