Limiting State-Reading URLs/Paths

[dereekb]

Describe the problem you'd like to have solved

I was adding in another OAuth provider yesterday for my project, Nylas, which I was having redirect back to my app with both query parameters state and code. I noticed Auth0/Angular (which I believe uses this plugin) was attempting to use the state and code parameters on routes I wasn't intending for them to be consumed, threw an exception, then redirected back to the front page of the app.

Describe the ideal solution

I'd like to be able to specify the routes that should be matched when attempting to log in. Since when using Auth0 you're limited to pre-defined redirect paths anyways, it seems like it should be ok to limit the paths at which auth0-spa attempts to detect and digest state and code query parameters in the url.

For example:

Limit the path to: /login/authorize
Or specify which routes to not hit: /app/settings/nylas

Since the two functions in AuthService are private it looks like I can't just extend AuthService and override the functionality.

A solution would be to updating AuthConfig's advancedOptions param to allow specifying an additional function that is checked before or after the current code in shouldHandleFunction() is checked using logical and.

I do like having the option for a simple string config in authModule though, so ideal would be to specify the window route as a string to match on, or simply providing true to only match on the redirectUri string if it is provided.

Alternatives and current work-arounds

Right now I updated it so auth redirects from Nylas first go to the api server, which redirects back to the client with different query parameters. I'd rather not do this because it should go straight back to the app itself.

Additional context

Reposting this over from auth0/auth0-spa-js#646

[frederikprijck]

Thanks for reporting this again, adding (part of) my comment in here as well for the easy of tracking things,

In case of Angular, this method is responsible for making that decision: https://github.com/auth0/auth0-angular/blob/master/projects/auth0-angular/src/lib/auth.service.ts#L255.

I think @Auth0/Auth0-Angular might need a solution comparable to what we have in React here: auth0/auth0-react#148

[dereekb]

I wouldn't mind making a pull request with tests for this either eventually, although I noticed that the AuthConfig isn't given an injection token or injected into AuthService so the preferred way on how the configuration ends up in AuthService would be up to the project maintainers.

[frederikprijck]

Hey @dereekb,

I opened a PR #86, feel free to have a look to verify this solves your use-case.

[dereekb]

It looks good to me. It shouldn't be a problem having a variable calculated when the app initializes there since the check is done at the same loaded route when the module is instantiated by Angular anyways, which always occurs when the Auth0 redirect (or any app) takes us back to the app.

And if a user wants to limit the Auth0 to only a single route they can do:

skipRedirectCallback: window.location.pathname !== '/my_auth0_callback_url',

So looks like it meets my needs. Thanks!