Merge pull request #387 from ForgeRock/develop

Release 4.2.0

e2e/mock-api/src/app/routes.auth.js

@@ -440,7 +440,7 @@ export default function (app) {
   app.get('/login', async (req, res) => {
     const domain = req.url.includes('localhost') ? 'localhost' : 'example.com';
 
-    res.cookie('iPlanetDirectoryPro', 'abcd1234', { domain });
+    res.cookie('iPlanetDirectoryPro', 'abcd1234', { domain, sameSite: 'none', secure: true });
 
     const url = new URL(`${req.protocol}://${req.headers.host}${authPaths.authorize[1]}`);
     url.searchParams.set('client_id', req.query.client_id);

e2e/token-vault-app/index.html

@@ -51,6 +51,7 @@
     <button id="logoutBtn">Logout</button>
     <button id="unregisterInterceptorBtn">Unregister Interceptor</button>
     <button id="destroyProxyBtn">Destroy Proxy</button>
+    <button id="hacker">Hacker!</button>
 
     <dl>
       <dt>User Logged In:</dt>

e2e/token-vault-app/src/main.ts

@@ -100,6 +100,7 @@ const loggedInEl = getById('loggedInDef');
 const userInfoEl = getById('userInfoDef');
 const hasTokensEl = getById('hasTokensDef');
 const refreshTokensEl = getById('refreshTokensDef');
+const hackerEl = getById('hacker');
 
 /**
  * If the URL has state and code as query parameters, then the user
@@ -153,6 +154,29 @@ refreshTokensBtn.addEventListener('click', async (event) => {
   console.log(res);
 });
 
+hackerEl.addEventListener('click', async () => {
+  console.log('in hacker function!');
+  const proxyChannel = new MessageChannel();
+  const proxyOrigin = 'http://localhost:5833';
+
+  // Create a request to a URL that is not allow-listed
+  const request = { url: 'https://reqres.in/api/users/2' };
+
+  const type = 'TVP_FETCH_RESOURCE';
+
+  // Grab the Proxy's iframe and post message to it
+  (document?.getElementById('token-vault-iframe') as HTMLIFrameElement)?.contentWindow?.postMessage(
+    { type, request },
+    proxyOrigin,
+    [proxyChannel.port2],
+  );
+
+  // This is how you listen for the response from the Proxy
+  proxyChannel.port1.onmessage = (event) => {
+    console.log(event.data); // This should return error
+  };
+});
+
 loginBtn.addEventListener('click', async (event) => {
   console.log('Logging in...');
   await TokenManager.getTokens({

e2e/token-vault-proxy/src/main.ts

@@ -15,4 +15,7 @@ proxy({
     },
     realmPath: import.meta.env.VITE_AM_REALM,
   },
+  proxy: {
+    urls: ['https://jsonplaceholder.typicode.com/*'],
+  },
 });

e2e/token-vault-suites/project.json

@@ -40,6 +40,6 @@
       }
     }
   },
-  "tags": [],
+  "tags": ["scope:e2e"],
   "implicitDependencies": ["token-vault-app", "token-vault-proxy"]
 }

e2e/token-vault-suites/src/basic.test.ts

@@ -89,3 +89,27 @@ test('Test happy paths on test page', async ({ page }) => {
   const revokedTokens = await getTokens('http://localhost:5833', 'CentralLoginOAuthClient');
   expect(revokedTokens).toBeFalsy();
 });
+/*
+ * ensure the proxy is not called when the url is not in the allow list
+ * and that the proxy responds with an error
+ */
+test('Ensure someone cannot try to call their own url!', async ({ page }) => {
+  const { navigate } = asyncEvents(page);
+  await navigate('/');
+
+  expect(page.url()).toBe('http://localhost:5823/');
+
+  const messageArray = [];
+  page.on('console', (message) => messageArray.push(message.text()));
+
+  await page.click('#hacker');
+  expect(
+    messageArray.includes('Received TVP_FETCH_RESOURCE event from http://localhost:5823'),
+  ).toBe(true);
+  expect(messageArray.includes('Proxying https://reqres.in/api/users/2')).toBe(true);
+  expect(
+    messageArray.includes(
+      '{error: unrecognized_origin, message: Unrecognized origin: https://reqres.in. Please configure URLs in Proxy.}',
+    ),
+  ).toBe(true);
+});