Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix / sso: make sure to delete only loginToken after redirect #16415

Merged
merged 4 commits into from
Feb 11, 2021
Merged

fix / sso: make sure to delete only loginToken after redirect #16415

merged 4 commits into from
Feb 11, 2021

Conversation

bekliev
Copy link
Contributor

@bekliev bekliev commented Feb 9, 2021

Related to #16292

@bekliev
fix / sso: after complete login via token make sure to delete only lo…
3e57378 
…ginToken query-param from the window.location api.

Related to element-hq#16292

Signed-off-by: Bekliev Parviz <[email protected]>
@jryans jryans requested a review from t3chguy February 10, 2021 15:36
@jryans
Copy link
Collaborator

jryans commented Feb 10, 2021

I believe @t3chguy is best positioned to review this.

@bekliev
Copy link
Contributor Author

bekliev commented Feb 10, 2021
edited
Loading

By the way, I checked this functionality locally and it works correctly: removes only loginToken query parameter and leaves other ones untouched

t3chguy
t3chguy requested changes Feb 11, 2021
View reviewed changes
Copy link
Member

@t3chguy t3chguy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance we can replace this code to use URL? https://developer.mozilla.org/en-US/docs/Web/API/URL/URL
Should simplify it for this change and also follows the guidance for the package as url.parse has been deprecated https://nodejs.org/api/url.html#url_url_parse_urlstring_parsequerystring_slashesdenotehost

@bekliev
Copy link
Contributor Author

bekliev commented Feb 11, 2021

@t3chguy I think I can do that - gonna try to use the URL API of the browser

t3chguy
t3chguy reviewed Feb 11, 2021
View reviewed changes
src/vector/platform/WebPlatform.ts
Comment on lines -191 to -192
// Remove trailing slash if present
u.pathname = u.pathname.replace(/\/$/, "");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it does look like the behaviour here has been lost.

Previously it'd pass through things like riot.im/app happily too but I think now that'll instead just be riot.im

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... will check that out soon

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep it can be fixed with this (commiting this approach now)
image

t3chguy
t3chguy reviewed Feb 11, 2021
View reviewed changes
src/vector/app.tsx Outdated Show resolved Hide resolved
t3chguy
t3chguy approved these changes Feb 11, 2021
View reviewed changes
Copy link
Member

@t3chguy t3chguy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!!

@t3chguy t3chguy merged commit 19a07bc into element-hq:develop Feb 11, 2021
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Mar 6, 2021
@Midar
Update chat/element-web to 1.7.22
7c867f4 
Changes in [1.7.22](https://github.com/vector-im/element-web/releases/tag/v1.7.22) (2021-03-01)
===============================================================================================
[Full Changelog](element-hq/element-web@v1.7.22-rc.1...v1.7.22)

## Security notice

Element Web 1.7.22 fixes (by upgrading to matrix-react-sdk 3.15.0) a low
severity issue (CVE-2021-21320) where the user content sandbox can be abused to
trick users into opening unexpected documents. The content is opened with a
`blob` origin that cannot access Matrix user data, so messages and secrets are
not at risk.  Thanks to @keerok for responsibly disclosing this via Matrix's
Security Disclosure Policy.

## All changes

 * Upgrade to React SDK 3.15.0 and JS SDK 9.8.0

Changes in [1.7.22-rc.1](https://github.com/vector-im/element-web/releases/tag/v1.7.22-rc.1) (2021-02-24)
=========================================================================================================
[Full Changelog](element-hq/element-web@v1.7.21...v1.7.22-rc.1)

 * Upgrade to React SDK 3.15.0-rc.1 and JS SDK 9.8.0-rc.1
 * Translations update from Weblate
   [\#16529](element-hq/element-web#16529)
 * Add hostSignup config for element.io clients
   [\#16515](element-hq/element-web#16515)
 * VoIP virtual rooms, mkII
   [\#16442](element-hq/element-web#16442)
 * Jitsi widget: Read room name from query parameters
   [\#16456](element-hq/element-web#16456)
 * fix / sso: make sure to delete only loginToken after redirect
   [\#16415](element-hq/element-web#16415)
 * Disable Countly
   [\#16433](element-hq/element-web#16433)

Changes in [1.7.21](https://github.com/vector-im/element-web/releases/tag/v1.7.21) (2021-02-16)
===============================================================================================
[Full Changelog](element-hq/element-web@v1.7.21-rc.1...v1.7.21)

 * Upgrade to React SDK 3.14.0 and JS SDK 9.7.0

Changes in [1.7.21-rc.1](https://github.com/vector-im/element-web/releases/tag/v1.7.21-rc.1) (2021-02-10)
=========================================================================================================
[Full Changelog](element-hq/element-web@v1.7.20...v1.7.21-rc.1)

 * Upgrade to React SDK 3.14.0-rc.1 and JS SDK 9.7.0-rc.1
 * Translations update from Weblate
   [\#16427](element-hq/element-web#16427)
 * Add RegExp dotAll feature test
   [\#16408](element-hq/element-web#16408)
 * Fix Electron type merging
   [\#16405](element-hq/element-web#16405)
 * README: remove Jenkins reference
   [\#16381](element-hq/element-web#16381)
 * Enable PostCSS Calc in webpack builds
   [\#16307](element-hq/element-web#16307)
 * Add configuration security best practices to the README.
   [\#16367](element-hq/element-web#16367)
 * Upgrade matrix-widget-api
   [\#16347](element-hq/element-web#16347)

Changes in [1.7.20](https://github.com/vector-im/element-web/releases/tag/v1.7.20) (2021-02-04)
===============================================================================================
[Full Changelog](element-hq/element-web@v1.7.19...v1.7.20)

 * Upgrade to React SDK 3.13.1

Changes in [1.7.19](https://github.com/vector-im/element-web/releases/tag/v1.7.19) (2021-02-03)
===============================================================================================
[Full Changelog](element-hq/element-web@v1.7.19-rc.1...v1.7.19)

 * Upgrade to React SDK 3.13.0 and JS SDK 9.6.0
 * [Release] Upgrade matrix-widget-api
   [\#16348](element-hq/element-web#16348)

Changes in [1.7.19-rc.1](https://github.com/vector-im/element-web/releases/tag/v1.7.19-rc.1) (2021-01-29)
=========================================================================================================
[Full Changelog](element-hq/element-web@v1.7.18...v1.7.19-rc.1)

 * Upgrade to React SDK 3.13.0-rc.1 and JS SDK 9.6.0-rc.1
 * Translations update from Weblate
   [\#16314](element-hq/element-web#16314)
 * Use history replaceState instead of redirect for SSO flow
   [\#16292](element-hq/element-web#16292)
 * Document the mobile guide toast option
   [\#16301](element-hq/element-web#16301)
 * Update widget-api to beta.12
   [\#16303](element-hq/element-web#16303)
 * Upgrade deps 2021-01
   [\#16294](element-hq/element-web#16294)
 * Move to newer base image for Docker builds
   [\#16275](element-hq/element-web#16275)
 * Docs for the VoIP translate pattern option
   [\#16236](element-hq/element-web#16236)
 * Fix Riot->Element in permalinkPrefix docs
   [\#16227](element-hq/element-web#16227)
 * Supply server_name for optional federation-capable Jitsi auth
   [\#16215](element-hq/element-web#16215)
 * Fix Widget API version confusion
   [\#16212](element-hq/element-web#16212)
 * Add Hebrew language
   [\#16210](element-hq/element-web#16210)
 * Update widget-api to beta 11
   [\#16177](element-hq/element-web#16177)
 * Fix develop Docker builds
   [\#16192](element-hq/element-web#16192)
 * Skip the service worker for Electron
   [\#16157](element-hq/element-web#16157)
 * Use isolated IPC API
   [\#16137](element-hq/element-web#16137)

Changes in [1.7.18](https://github.com/vector-im/element-web/releases/tag/v1.7.18) (2021-01-26)
===============================================================================================
[Full Changelog](element-hq/element-web@v1.7.17...v1.7.18)

 * Upgrade to React SDK 3.12.1 and JS SDK 9.5.1

Changes in [1.7.17](https://github.com/vector-im/element-web/releases/tag/v1.7.17) (2021-01-18)
===============================================================================================
[Full Changelog](element-hq/element-web@v1.7.17-rc.1...v1.7.17)

 * Upgrade to React SDK 3.12.0 and JS SDK 9.5.0

Changes in [1.7.17-rc.1](https://github.com/vector-im/element-web/releases/tag/v1.7.17-rc.1) (2021-01-13)
=========================================================================================================
[Full Changelog](element-hq/element-web@v1.7.16...v1.7.17-rc.1)

 * Upgrade to React SDK 3.12.0-rc.1 and JS SDK 9.5.0-rc.1
 * Translations update from Weblate
   [\#16131](element-hq/element-web#16131)
 * webplatform: Fix notification closing
   [\#16028](element-hq/element-web#16028)
 * Stop building code and types for Element layer
   [\#15999](element-hq/element-web#15999)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t3chguy t3chguy t3chguy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bekliev @jryans @t3chguy