From 3735214f21524d84faf5162993b5666b6b65c9d0 Mon Sep 17 00:00:00 2001
From: James Daniels <jamesdaniels@google.com>
Date: Thu, 14 Mar 2024 11:56:27 -0400
Subject: [PATCH 1/6] First.

---
 packages/auth/src/platform_browser/index.ts | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index ea14f3d7aba..e0069998825 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -90,14 +90,19 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   });
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
-  // Don't allow urls (XSS possibility), only paths on the same domain
-  // (starting with a single '/')
-  if (authTokenSyncPath && authTokenSyncPath.match(/^\/[^\/].*/)) {
-    const mintCookie = mintCookieFactory(authTokenSyncPath);
-    beforeAuthStateChanged(auth, mintCookie, () =>
-      mintCookie(auth.currentUser)
-    );
-    onIdTokenChanged(auth, user => mintCookie(user));
+  if (authTokenSyncPath) {
+    // Reduce the chances of an XSS attack by only allowing secure contexts or the same origin.
+    const isLocalHost = ['localhost', '127.0.0.1', '0.0.0.0'].includes(location.hostname);
+    if (isSecureContext || isLocalHost) {
+      const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+      if (location.origin === authTokenSyncUrl.origin) {
+        const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
+        beforeAuthStateChanged(auth, mintCookie, () =>
+          mintCookie(auth.currentUser)
+        );
+        onIdTokenChanged(auth, user => mintCookie(user));
+      }
+    }
   }
 
   const authEmulatorHost = getDefaultEmulatorHost('auth');

From cb65f9c35cbe9c86f1285ebbff480f0c4e3be0ca Mon Sep 17 00:00:00 2001
From: James Daniels <jamesdaniels@google.com>
Date: Thu, 14 Mar 2024 12:10:36 -0400
Subject: [PATCH 2/6] Formatting

---
 packages/auth/src/platform_browser/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index e0069998825..0454f48271f 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -92,7 +92,9 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
   if (authTokenSyncPath) {
     // Reduce the chances of an XSS attack by only allowing secure contexts or the same origin.
-    const isLocalHost = ['localhost', '127.0.0.1', '0.0.0.0'].includes(location.hostname);
+    const isLocalHost = ['localhost', '127.0.0.1', '0.0.0.0'].includes(
+      location.hostname
+    );
     if (isSecureContext || isLocalHost) {
       const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
       if (location.origin === authTokenSyncUrl.origin) {

From e3eee5e93e40d0a49a5adda526e9ac85085366a1 Mon Sep 17 00:00:00 2001
From: James Daniels <jamesdaniels@google.com>
Date: Thu, 14 Mar 2024 12:12:44 -0400
Subject: [PATCH 3/6] Format and changelog

---
 .changeset/green-mugs-protect.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/green-mugs-protect.md

diff --git a/.changeset/green-mugs-protect.md b/.changeset/green-mugs-protect.md
new file mode 100644
index 00000000000..38ba2cf9b0f
--- /dev/null
+++ b/.changeset/green-mugs-protect.md
@@ -0,0 +1,5 @@
+---
+'@firebase/auth': patch
+---
+
+Additional protection against misuse of the authTokenSyncURL experiment

From 5645307874f839e958de911998736442c2e4df3f Mon Sep 17 00:00:00 2001
From: James Daniels <jamesdaniels@google.com>
Date: Thu, 14 Mar 2024 12:44:53 -0400
Subject: [PATCH 4/6] isSecureContext checks for localhost

---
 packages/auth/src/platform_browser/index.ts | 22 ++++++++-------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index 0454f48271f..cd42827113f 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -90,20 +90,14 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   });
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
-  if (authTokenSyncPath) {
-    // Reduce the chances of an XSS attack by only allowing secure contexts or the same origin.
-    const isLocalHost = ['localhost', '127.0.0.1', '0.0.0.0'].includes(
-      location.hostname
-    );
-    if (isSecureContext || isLocalHost) {
-      const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
-      if (location.origin === authTokenSyncUrl.origin) {
-        const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
-        beforeAuthStateChanged(auth, mintCookie, () =>
-          mintCookie(auth.currentUser)
-        );
-        onIdTokenChanged(auth, user => mintCookie(user));
-      }
+  if (authTokenSyncPath && isSecureContext) {
+    const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
+    if (location.origin === authTokenSyncUrl.origin) {
+      const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());
+      beforeAuthStateChanged(auth, mintCookie, () =>
+        mintCookie(auth.currentUser)
+      );
+      onIdTokenChanged(auth, user => mintCookie(user));
     }
   }
 

From bf2070d5d5dc1b0a4e891afd12b221f42991f42f Mon Sep 17 00:00:00 2001
From: James Daniels <jamesdaniels@google.com>
Date: Thu, 14 Mar 2024 12:54:35 -0400
Subject: [PATCH 5/6] Add comments

---
 packages/auth/src/platform_browser/index.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index cd42827113f..972c5b8cef1 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -90,7 +90,9 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
   });
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
+  // Only do the Cookie exchange in a secure context
   if (authTokenSyncPath && isSecureContext) {
+    // Don't allow urls (XSS possibility), only paths on the same domain
     const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
     if (location.origin === authTokenSyncUrl.origin) {
       const mintCookie = mintCookieFactory(authTokenSyncUrl.toString());

From 939a060a67f097c51ee110723359ae5086c28530 Mon Sep 17 00:00:00 2001
From: James Daniels <jamesdaniels@google.com>
Date: Thu, 21 Mar 2024 13:01:09 -0400
Subject: [PATCH 6/6] Guard against isSecureContext not being present

---
 packages/auth/src/platform_browser/index.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/auth/src/platform_browser/index.ts b/packages/auth/src/platform_browser/index.ts
index 972c5b8cef1..f94525bfeb7 100644
--- a/packages/auth/src/platform_browser/index.ts
+++ b/packages/auth/src/platform_browser/index.ts
@@ -91,7 +91,11 @@ export function getAuth(app: FirebaseApp = getApp()): Auth {
 
   const authTokenSyncPath = getExperimentalSetting('authTokenSyncURL');
   // Only do the Cookie exchange in a secure context
-  if (authTokenSyncPath && isSecureContext) {
+  if (
+    authTokenSyncPath &&
+    typeof isSecureContext === 'boolean' &&
+    isSecureContext
+  ) {
     // Don't allow urls (XSS possibility), only paths on the same domain
     const authTokenSyncUrl = new URL(authTokenSyncPath, location.origin);
     if (location.origin === authTokenSyncUrl.origin) {