Check origin for CLI auth redirect

Summary: Just to be extra sure, we should ensure that the CLI auth only sends the token to localhost or the Pixie cloud domain. Test Plan: deploy to staging and run `px auth login`, update the redirect URI Reviewers: vihang, philkuz, zasgar Reviewed By: vihang Signed-off-by: Michelle Nguyen <michellenguyen@pixielabs.ai> Differential Revision: https://phab.corp.pixielabs.ai/D11357 GitOrigin-RevId: cf76052
tharinduwijewardane · May 4, 2022 · 6a8fea3 · 6a8fea3
1 parent d80f151
commit 6a8fea3
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/ui/src/pages/auth/callback.tsx b/src/ui/src/pages/auth/callback.tsx
@@ -265,6 +265,12 @@ export const AuthCallbackPage: React.FC = React.memo(() => {
 
   const sendTokenToCLI = React.useCallback(async (accessToken: string, idToken: string, redirectURI: string) => {
     try {
+      // Check the URL is from an accepted origin.
+      const parsedURL = new URL(redirectURI);
+      if (parsedURL.hostname != 'localhost') {
+        return false;
+      }
+
       const response = await redirectGet(redirectURI, { accessToken });
       return response.status === 200 && response.data === 'OK';
     } catch (error) {
@@ -299,7 +305,7 @@ export const AuthCallbackPage: React.FC = React.memo(() => {
             return;
           }
           // Fallback to manual auth unless there is an actual authentication error.
-          if (config.err?.errorType !== 'auth') {
+          if (!config || config.err?.errorType !== 'auth') {
             setConfig((c) => ({
               ...c,
               mode: 'cli_token',