From 140737b2f66674fcf453d8286fdd6cc15740f556 Mon Sep 17 00:00:00 2001 From: Yang Luo Date: Tue, 31 Oct 2023 22:36:56 +0800 Subject: [PATCH] Fix some bugs in Apple OAuth login path --- authz/authz.go | 2 +- object/check.go | 4 ++-- routers/cors_filter.go | 5 +++++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/authz/authz.go b/authz/authz.go index 82f974a5..d9a7ef47 100644 --- a/authz/authz.go +++ b/authz/authz.go @@ -147,7 +147,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool { if method == "POST" { - if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" { + if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" { return true } else if urlPath == "/api/update-user" { // Allow ordinary users to update their own information diff --git a/object/check.go b/object/check.go index aa7d6f79..04c8c6c2 100644 --- a/object/check.go +++ b/object/check.go @@ -351,8 +351,8 @@ func CheckUserPermission(requestUserId, userId string, strict bool, lang string) } func CheckLoginPermission(userId string, application *Application) (bool, error) { - var err error - if userId == "built-in/admin" { + owner, _ := util.GetOwnerAndNameFromId(userId) + if owner == "built-in" { return true, nil } diff --git a/routers/cors_filter.go b/routers/cors_filter.go index a109108a..aef3b862 100644 --- a/routers/cors_filter.go +++ b/routers/cors_filter.go @@ -51,6 +51,11 @@ func CorsFilter(ctx *context.Context) { return } + if originHostname == "appleid.apple.com" { + setCorsHeaders(ctx, origin) + return + } + if ctx.Request.Method == "POST" && ctx.Request.RequestURI == "/api/login/oauth/access_token" { setCorsHeaders(ctx, origin) return