Narrow the scope of the local server handler

Before, the local server handled any request regardless of path, which could potentially include requests generated by the browser such as the one for favicon. This could lead to race conditions around reading the code to continue to OAuth flow with. Now, have the OAuth flow redirect to `localhost:PORT/callback` and only handle `/callback` requests specifically.
zhangaz1 · Jan 13, 2020 · bbeb558 · bbeb558
1 parent 635d296
commit bbeb558
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/auth/oauth.go b/auth/oauth.go
@@ -46,7 +46,7 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
 
 	q := url.Values{}
 	q.Set("client_id", oa.ClientID)
-	q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d", port))
+	q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d/callback", port))
 	q.Set("scope", "repo")
 	q.Set("state", state)
 
@@ -57,6 +57,10 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
 	}
 
 	http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/callback" {
+			w.WriteHeader(404)
+			return
+		}
 		defer listener.Close()
 		rq := r.URL.Query()
 		if state != rq.Get("state") {