[electron] loopback server should only listen on exact redirect_uri a…

…ddress (#248) Co-authored-by: Ben Polinsky <[email protected]>
iTwin · Jun 11, 2024 · 04e8a75 · 04e8a75
1 parent 9e64b44
commit 04e8a75
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -32,6 +32,8 @@ There is also an [authorization client for command-line developer tools](./packa
 3. Build source: `pnpm build`
 4. Run tests: `pnpm cover`
 
+> Note: Sometimes lage's cache will become stale and it may refuse to build projects you've changed. If this or other odd behavior occurs on build, add the [`--reset-cache` flag](https://microsoft.github.io/lage/docs/Tutorial/cache/) to the `pnpm build` command.
+
 ## Extract Documentation
 
 `pnpm run docs`
diff --git a/change/@itwin-electron-authorization-b24066e0-60c8-4841-8668-22bb0e7a0198.json b/change/@itwin-electron-authorization-b24066e0-60c8-4841-8668-22bb0e7a0198.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Only listen on hostname and port provided in redirectUris. Previously, we would listen on any local interface with the selected port.",
+  "packageName": "@itwin/electron-authorization",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}
diff --git a/packages/electron/src/main/LoopbackWebServer.ts b/packages/electron/src/main/LoopbackWebServer.ts
@@ -70,7 +70,9 @@ export class LoopbackWebServer {
       server.on("error", reject);
 
       const urlParts: URL = new URL(LoopbackWebServer._redirectUri);
-      server.listen(urlParts.port, () => {
+      const portNumber = Number(urlParts.port);
+
+      server.listen(portNumber, urlParts.hostname, () => {
         LoopbackWebServer._httpServer = server;
         resolve();
       });