fix(oauth): harden browser launch handling

This commit is contained in:
Armin Ronacher
2026-06-02 23:15:46 +02:00
parent a98e087e5d
commit ba6e5298df
6 changed files with 138 additions and 17 deletions

View File

@@ -132,10 +132,22 @@ async function startDeviceFlow(domain: string): Promise<DeviceCodeResponse> {
throw new Error("Invalid device code response fields");
}
// The verification URI is opened in the user's browser and to prevent `open` from
// opening an executable or similar, we force it to be a URL.
let parsedUri: URL;
try {
parsedUri = new URL(verificationUri);
} catch {
throw new Error("Untrusted verification_uri in device code response");
}
if (parsedUri.protocol !== "https:" && parsedUri.protocol !== "http:") {
throw new Error("Untrusted verification_uri in device code response");
}
return {
device_code: deviceCode,
user_code: userCode,
verification_uri: verificationUri,
verification_uri: parsedUri.href,
interval,
expires_in: expiresIn,
};