Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
added allowRuntimeProviderParams to allow runtime query params #129
@AdriVanHoudt It looks good to me. I'll try tomorrow with the google provider. Please provide some documentation :)
@hueniverse Can you please review this? I really want to make sure we're not introducing a security issue here. My main worry is that we're not verifying the values sent are what the application wanted to send. I don't think it's an issue here but still would like an expert to review this!
Well I am dumb sometimes. Even if we verify the content it does not matter because the client is redirected so an attacker can do whatever they want with it.
I wonder if your original idea of just hoek.merge all the world is the right way to do it. The checks I've made you do are useless...
@hueniverse Thanks for reviewing it.
I did not want a user attempt to use the login endpoint with extra parameters that we may not want to pass along. But we can't protect against that obviously since the whole oauth flow is not designed so.
ie. I am not used to taking query params and passing them along with no verification. But in this case it makes sense.
@AdriVanHoudt I am sorry, you can remove the verification of parameters.
…s to be send to the auth url // fixes #125 specifically set allowunknown to false rtfm removed validation // added option allowRuntimeQueryParams to not introduce unexpected behaviour // added docs // reverted some style changes more logical test // fixed tests indices cleanup better explanation renamed setting // updated doc // allow runtime params on oauth1