From 407f507c9886fc776cf17d8e3ac3b3dc89d7944c Mon Sep 17 00:00:00 2001
From: David McCoy <David.McCoy@8451.com>
Date: Fri, 25 Oct 2024 10:51:35 -0400
Subject: [PATCH] actually block silent refreshing from other origins

---
 projects/lib/src/auth.config.ts               |  7 ++++-
 projects/lib/src/oauth-service.ts             | 26 ++++++++++++-------
 .../quickstart-demo/src/app/auth.config.ts    |  1 +
 projects/sample/src/app/auth.config.ts        |  2 ++
 4 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/projects/lib/src/auth.config.ts b/projects/lib/src/auth.config.ts
index 46445603..1b5b23c4 100644
--- a/projects/lib/src/auth.config.ts
+++ b/projects/lib/src/auth.config.ts
@@ -275,10 +275,15 @@ export class AuthConfig {
   public disableIdTokenTimer? = false;
 
   /**
-   * Blocks other origins requesting a silent refresh
+   * Checks whether other origins requesting a silent refresh and logs error
    */
   public checkOrigin? = false;
 
+  /**
+   * Blocks other origins requesting a silent refresh
+   */
+  public blockOtherOrigins? = false;
+
   constructor(json?: Partial<AuthConfig>) {
     if (json) {
       Object.assign(this, json);
diff --git a/projects/lib/src/oauth-service.ts b/projects/lib/src/oauth-service.ts
index dce071f9..38ce6f44 100644
--- a/projects/lib/src/oauth-service.ts
+++ b/projects/lib/src/oauth-service.ts
@@ -1024,17 +1024,25 @@ export class OAuthService extends AuthConfig implements OnDestroy {
     this.silentRefreshPostMessageEventListener = (e: MessageEvent) => {
       const message = this.processMessageEventMessage(e);
 
-      if (this.checkOrigin && e.origin !== location.origin) {
-        console.error('wrong origin requested silent refresh!');
+      const hasDifferentOrigin = e.origin !== location.origin;
+
+      const shouldLogErrorForWrongOrigin = hasDifferentOrigin && (this.checkOrigin || this.blockOtherOrigins);
+
+      if (shouldLogErrorForWrongOrigin) {
+        console.error(`wrong origin requested silent refresh! expected: "${location.origin}", got: "${e.origin}"`);
       }
 
-      this.tryLogin({
-        customHashFragment: message,
-        preventClearHashAfterLogin: true,
-        customRedirectUri: this.silentRefreshRedirectUri || this.redirectUri,
-      }).catch((err) =>
-        this.debug('tryLogin during silent refresh failed', err)
-      );
+      const isAllowedToSilentRefresh = !hasDifferentOrigin || !this.blockOtherOrigins;
+
+      if (isAllowedToSilentRefresh) {
+        this.tryLogin({
+          customHashFragment: message,
+          preventClearHashAfterLogin: true,
+          customRedirectUri: this.silentRefreshRedirectUri || this.redirectUri,
+        }).catch((err) =>
+          this.debug('tryLogin during silent refresh failed', err)
+        );
+      }
     };
 
     window.addEventListener(
diff --git a/projects/quickstart-demo/src/app/auth.config.ts b/projects/quickstart-demo/src/app/auth.config.ts
index b9752a1a..97e561f4 100644
--- a/projects/quickstart-demo/src/app/auth.config.ts
+++ b/projects/quickstart-demo/src/app/auth.config.ts
@@ -9,4 +9,5 @@ export const authCodeFlowConfig: AuthConfig = {
   showDebugInformation: true,
   timeoutFactor: 0.01,
   checkOrigin: false,
+  blockOtherOrigins: false,
 };
diff --git a/projects/sample/src/app/auth.config.ts b/projects/sample/src/app/auth.config.ts
index dc85926b..ef32cd25 100644
--- a/projects/sample/src/app/auth.config.ts
+++ b/projects/sample/src/app/auth.config.ts
@@ -32,5 +32,7 @@ export const authConfig: AuthConfig = {
 
   checkOrigin: true,
 
+  blockOtherOrigins: true,
+
   timeoutFactor: 0.01,
 };