feat(calendar): store only token hash in database to enhance security
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m25s
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m25s
feat(federation): escape LIKE special characters in originDomain to prevent wildcard injection feat(oauth): redirect with token in hash fragment to avoid exposure in logs feat(OAuthCallback): retrieve token from hash fragment for improved security
This commit is contained in:
@@ -13,9 +13,13 @@ export default function OAuthCallback() {
|
||||
const navigate = useNavigate();
|
||||
|
||||
useEffect(() => {
|
||||
const token = searchParams.get('token');
|
||||
// Token is passed via hash fragment (never sent to server, not logged, not in Referer).
|
||||
// Error is still a regular query param since it contains no sensitive data.
|
||||
const hash = window.location.hash.slice(1); // strip leading '#'
|
||||
const hashParams = new URLSearchParams(hash);
|
||||
const token = hashParams.get('token');
|
||||
const errorMsg = searchParams.get('error');
|
||||
const returnTo = searchParams.get('return_to') || '/dashboard';
|
||||
const returnTo = hashParams.get('return_to') || searchParams.get('return_to') || '/dashboard';
|
||||
|
||||
if (errorMsg) {
|
||||
setError(errorMsg);
|
||||
|
||||
Reference in New Issue
Block a user