fix registration_allowed_url check with js:

sorah · Dec 6, 2017 · e7558b1 · e7558b1
1 parent 9261deb
commit e7558b1
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/lib/clarion/app.rb b/lib/clarion/app.rb
@@ -114,8 +114,14 @@ def render_authn_json(authn)
       unless params[:name] && params[:callback] && params[:public_key]
         halt 400, 'missing params'
       end
-      if params[:callback].start_with?('js:') && !(conf.registration_allowed_url === params[:callback])
-        halt 400, 'invalid callback'
+      if params[:callback].start_with?('js:')
+        unless conf.registration_allowed_url === params[:callback][3..-1]
+          halt 400, 'invalid callback'
+        end
+      else
+        unless conf.registration_allowed_url === params[:callback]
+          halt 400, 'invalid callback'
+        end
       end
 
       public_key = begin