stackoom
  简体   繁体   中英

OAuth popup cross-domain security React.js

 原文  2019-11-06 14:21:04       javascript/ reactjs/ oauth/ popup/ authorization

Question

I'm interested in how to implement OAuth in React using popup ( window.open ).

For example I have:

  1. mysite.com — this is where I open the popup.
  2. passport.mysite.com/oauth/authorize — popup.

The main question is how to create connection between window.open (popup) and window.opener (as it's known the window.opener is null due to cross-domain security therefore we can't use it anymore).

window.opener is removed whenever you navigate to a different host (for security reasons), there is no way around it. The only option should be doing the payment in a frame if it is possible. The top document needs to stay on the same host.

Scheme:

在此处输入图像描述

Possible solutions:

  1. Check an opened window using setInterval described here .
  2. Using cross-storage (not worth it imho ).

So what's the best recommended approach in 2019?

Wrapper for React - https://github.com/Ramshackle-Jamathon/react-oauth-popup

2 answers

solution1
 8 ACCPTED  2019-11-09 18:01:34

Suggested by Khanh TO . OAuth popup with localStorage. Based on react-oauth-popup .

Scheme:

在此处输入图像描述

Code:

oauth-popup.tsx:

import React, {PureComponent, ReactChild} from 'react'

type Props = {
  width: number,
  height: number,
  url: string,
  title: string,
  onClose: () => any,
  onCode: (params: any) => any,
  children?: ReactChild,
}

export default class OauthPopup extends PureComponent<Props> {

  static defaultProps = {
    onClose: () => {},
    width: 500,
    height: 500,
    url: "",
    title: ""
  };

  externalWindow: any;
  codeCheck: any;

  componentWillUnmount() {
    if (this.externalWindow) {
      this.externalWindow.close();
    }
  }

  createPopup = () => {
    const {url, title, width, height, onCode} = this.props;
    const left = window.screenX + (window.outerWidth - width) / 2;
    const top = window.screenY + (window.outerHeight - height) / 2.5;

    const windowFeatures = `toolbar=0,scrollbars=1,status=1,resizable=0,location=1,menuBar=0,width=${width},height=${height},top=${top},left=${left}`;

    this.externalWindow = window.open(
        url,
        title,
        windowFeatures
    );

    const storageListener = () => {
      try {
        if (localStorage.getItem('code')) {
          onCode(localStorage.getItem('code'));
          this.externalWindow.close();
          window.removeEventListener('storage', storageListener);
        }
      } catch (e) {
        window.removeEventListener('storage', storageListener);
      }
    }

    window.addEventListener('storage', storageListener);

    this.externalWindow.addEventListener('beforeunload', () => {
      this.props.onClose()
    }, false);
  };

  render() {
    return (
      <div onClick={this.createPopup)}>
        {this.props.children}
      </div>
    );
  }
}

app.tsx

import React, {FC} from 'react'

const onCode = async (): Promise<undefined> => {
  try {
    const res = await <your_fetch>
  } catch (e) {
    console.error(e);
  } finally {
    window.localStorage.removeItem('code'); //remove code from localStorage
  }
}

const App: FC = () => (
  <OAuthPopup
    url={<your_url>}
    onCode={onCode}
    onClose={() => console.log('closed')}
    title="<your_title>">
    <button type="button">Enter</button>
  </OAuthPopup>
);

export default App;

solution2
 3  2019-11-14 18:06:36

I once encounter an issue on my oauth login flow with window.open/window.opener bug on ms-edge

My flow before this issue was

  • On login button click open a popup
  • After successful login the oauth app redirect to my domain's page
  • Then i call a function of the parent window from with in the popup (window.opener.fn) with data from oauth response and the parent window then close the child popup window

My flow after this issue was

  • On login button click open a popup
  • Create a setinterval in case (window.opener is undefined)
  • After successful login the oauth app redirect to my domain's page
  • Check if window.opener is available then do #3 from the above flow and clearInterval
  • If window.opener is not available then since i am on my domains page i try to set localstorage and try to read the localstorage from inside the setInterval function in parent window then clear the localstorage and setInterval and proceed.
  • (for backward compatibility) If localstorage is also not available then set a client side cookie with the data with a short expiry (5-10 sec) time and try to read the cookie (document.cookie) inside the setInterval function in parent window and proceed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question js cross-domain to iframe Cross-Domain OAuth… how to get response? Cross-Domain API Access Security Passport js login from cross-domain? Detecting when a Cross-Domain Popup Window Closes JavaScript: Passing data to a cross-domain popup behind the scenes Sending information to parent when popup closes, cross-domain What is the rationale behind AJAX cross-domain security? Why are cross-domain AJAX requests labelled as a “security risk”? Avoiding cross-domain Check and Other Browser Security Checks
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM