[PR #345] [CLOSED] Harden OAuth postMessage origins for GSC and Bing #312

New issue

Closed

opened 2026-03-02 23:35:05 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 23:35:05 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/AJaySi/ALwrity/pull/345
Author: @AJaySi
Created: 2/11/2026
Status: ❌ Closed

Base: main ← Head: codex/replace-wildcard-postmessage-targets

📝 Commits (1)

41fc0d9 Harden OAuth postMessage origins for GSC and Bing

📊 Changes

11 files changed (+236 additions, -34 deletions)

View changed files

📝 backend/routers/bing_oauth.py (+20 -9)
📝 backend/routers/gsc_auth.py (+17 -6)
📝 backend/services/oauth_redirects.py (+7 -1)
📝 frontend/src/api/bingOAuth.ts (+1 -0)
📝 frontend/src/api/gsc.ts (+2 -2)
📝 frontend/src/components/BingCallbackPage/BingCallbackPage.tsx (+5 -2)
📝 frontend/src/components/OnboardingWizard/common/useGSCConnection.ts (+9 -2)
📝 frontend/src/components/SEODashboard/components/GSCAuthCallback.tsx (+3 -2)
➕ frontend/src/hooks/__tests__/useBingOAuth.postMessage.test.tsx (+97 -0)
📝 frontend/src/hooks/useBingOAuth.ts (+13 -10)
➕ frontend/src/utils/oauthOrigins.ts (+62 -0)

📄 Description

Motivation

Replace unsafe wildcard postMessage targets with explicit validated origins derived from provider redirect configuration to prevent spoofed OAuth popup messages.
Centralize trusted-origin logic so frontend and backend share a single canonical source of truth for allowed OAuth postMessage targets.
Enforce both origin and popup source checks in message listeners and add integration-level checks to reject untrusted messages.

Description

Added get_trusted_origins_for_redirect in backend/services/oauth_redirects.py and updated GSC/Bing auth endpoints to return trusted_origins instead of relying on '*' for callbacks.
Replaced wildcard postMessage targets in backend/routers/gsc_auth.py and backend/routers/bing_oauth.py with validated redirect-origin values and used those origins when emitting success/error messages from callback HTML.
Introduced frontend/src/utils/oauthOrigins.ts to centralize storing/resolving OAuth postMessage targets and to provide isTrustedOAuthMessageEvent for strict origin+source validation.
Updated frontend flows to use the new utility: frontend/src/hooks/useBingOAuth.ts, frontend/src/components/OnboardingWizard/common/useGSCConnection.ts, frontend/src/components/SEODashboard/components/GSCAuthCallback.tsx, and frontend/src/components/BingCallbackPage/BingCallbackPage.tsx now send messages to explicit origins and require trusted origin+popup source before acting.
Updated API client typings to surface backend trusted_origins (frontend/src/api/bingOAuth.ts and frontend/src/api/gsc.ts) and added an integration-style test frontend/src/hooks/__tests__/useBingOAuth.postMessage.test.tsx that verifies rejection of untrusted-origin messages and acceptance of trusted-origin + popup-source messages.

Testing

Ran python -m py_compile backend/routers/gsc_auth.py backend/routers/bing_oauth.py backend/services/oauth_redirects.py and it succeeded.
Added a frontend Jest test (src/hooks/__tests__/useBingOAuth.postMessage.test.tsx) that simulates popup messaging and verifies the trust checks, but running npm test -- --watch=false --runInBand src/hooks/__tests__/useBingOAuth.postMessage.test.tsx failed in this environment because react-scripts is not installed.
Static sanity checks and local Python compilation were performed on modified backend modules to ensure no syntax errors.

Codex Task

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/AJaySi/ALwrity/pull/345 **Author:** [@AJaySi](https://github.com/AJaySi) **Created:** 2/11/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `codex/replace-wildcard-postmessage-targets` --- ### 📝 Commits (1) - [`41fc0d9`](https://github.com/AJaySi/ALwrity/commit/41fc0d9e7871b725fe874aca6c48445363f41bb3) Harden OAuth postMessage origins for GSC and Bing ### 📊 Changes **11 files changed** (+236 additions, -34 deletions) <details> <summary>View changed files</summary> 📝 `backend/routers/bing_oauth.py` (+20 -9) 📝 `backend/routers/gsc_auth.py` (+17 -6) 📝 `backend/services/oauth_redirects.py` (+7 -1) 📝 `frontend/src/api/bingOAuth.ts` (+1 -0) 📝 `frontend/src/api/gsc.ts` (+2 -2) 📝 `frontend/src/components/BingCallbackPage/BingCallbackPage.tsx` (+5 -2) 📝 `frontend/src/components/OnboardingWizard/common/useGSCConnection.ts` (+9 -2) 📝 `frontend/src/components/SEODashboard/components/GSCAuthCallback.tsx` (+3 -2) ➕ `frontend/src/hooks/__tests__/useBingOAuth.postMessage.test.tsx` (+97 -0) 📝 `frontend/src/hooks/useBingOAuth.ts` (+13 -10) ➕ `frontend/src/utils/oauthOrigins.ts` (+62 -0) </details> ### 📄 Description ### Motivation - Replace unsafe wildcard `postMessage` targets with explicit validated origins derived from provider redirect configuration to prevent spoofed OAuth popup messages. - Centralize trusted-origin logic so frontend and backend share a single canonical source of truth for allowed OAuth postMessage targets. - Enforce both origin and popup `source` checks in message listeners and add integration-level checks to reject untrusted messages. ### Description - Added `get_trusted_origins_for_redirect` in `backend/services/oauth_redirects.py` and updated GSC/Bing auth endpoints to return `trusted_origins` instead of relying on `'*'` for callbacks. - Replaced wildcard `postMessage` targets in `backend/routers/gsc_auth.py` and `backend/routers/bing_oauth.py` with validated redirect-origin values and used those origins when emitting success/error messages from callback HTML. - Introduced `frontend/src/utils/oauthOrigins.ts` to centralize storing/resolving OAuth postMessage targets and to provide `isTrustedOAuthMessageEvent` for strict origin+source validation. - Updated frontend flows to use the new utility: `frontend/src/hooks/useBingOAuth.ts`, `frontend/src/components/OnboardingWizard/common/useGSCConnection.ts`, `frontend/src/components/SEODashboard/components/GSCAuthCallback.tsx`, and `frontend/src/components/BingCallbackPage/BingCallbackPage.tsx` now send messages to explicit origins and require trusted origin+popup source before acting. - Updated API client typings to surface backend `trusted_origins` (`frontend/src/api/bingOAuth.ts` and `frontend/src/api/gsc.ts`) and added an integration-style test `frontend/src/hooks/__tests__/useBingOAuth.postMessage.test.tsx` that verifies rejection of untrusted-origin messages and acceptance of trusted-origin + popup-source messages. ### Testing - Ran `python -m py_compile backend/routers/gsc_auth.py backend/routers/bing_oauth.py backend/services/oauth_redirects.py` and it succeeded. - Added a frontend Jest test (`src/hooks/__tests__/useBingOAuth.postMessage.test.tsx`) that simulates popup messaging and verifies the trust checks, but running `npm test -- --watch=false --runInBand src/hooks/__tests__/useBingOAuth.postMessage.test.tsx` failed in this environment because `react-scripts` is not installed. - Static sanity checks and local Python compilation were performed on modified backend modules to ensure no syntax errors. ------ [Codex Task](https://chatgpt.com/codex/tasks/task_e_698c306b11748328acf2f45f5a597085) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem

2026-03-02 23:35:05 +03:00

closed this issue
added the
pull-request
label

kerem referenced this issue

2026-03-13 21:00:13 +03:00

[PR #312] [CLOSED] docs: Correct CopilotKit API Key Environment Variable #621

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ALwrity#312

No description provided.

Rows
Columns