auth0 icon indicating copy to clipboard operation
auth0 copied to clipboard

Published 20 hours ago verified publisher icon curso-r

Accidental URL decoding of query parameters

Open Kvit opened this issue 5 years ago • 5 comments

When using Shiny app with URL-encoded parameters, the library accidentally decodes them which makes URL incorrect. For example, try parameter like/?param=two%20words , it will become /?param=two words and you will get an error from Auth0:

invalid_request: The redirect_uri parameter is not valid: "http://localhost:8080/?param=two words" If url looks fine, check that you are not including non printable chars

Kvit avatar Feb 14 '20 23:02 Kvit

Hi, Can you check if the latest commit here fixes that? Thanks

pmoulos avatar Feb 20 '20 16:02 pmoulos

Hi, Can you check if the latest commit here fixes that? Thanks

@pmoulos , unfortunately your latest branch does not fix the problem, sill gettting error:

{
  "date": "2020-02-21T15:27:29.365Z",
  "type": "f",
  "description": "The redirect_uri parameter is not valid: \"http://localhost:8080/?param=two words\" If url looks fine, check that you are not including non printable chars"
}

Kvit avatar Feb 21 '20 15:02 Kvit

@pmoulos, any additional thoughts on this issue?

Kvit avatar Mar 05 '20 04:03 Kvit

Hi @Kvit,

Are you sure that this can be achieved? I think that there is an incompatibility between how Shiny bookmarking encodes parameters in the URL so that Shiny can understand them and how auth0 parses the URL. This is why @jtrecenti states this about how bookmarking should be done to use the auth0 service with Shiny. So I am not sure that encoding bookmarking parameters in the URL is possible and one should use enableBookmarking(store="server") with potential inconveniences though (e.g. having to manage the created states in the server). For my cases this not a problem as I usually have many parameters to be bookmarked so I use server store anyway.

Regards

pmoulos avatar Mar 21 '20 07:03 pmoulos

I'm not using standard Bookmarking - too messy. I parse URL reactively, and I use URL encoding/decoding. It works fine without Auth0 "wrapping"

require(shiny)
require(magrittr)
# ---- observe URL ----
  observe({
    # get params from url
    query <- parseQueryString( req( session$clientData$url_search ) ) %>% unlist()
  })

 # make url
    url_share<-paste0(session$clientData$url_protocol,"//", session$clientData$url_hostname
                      ,ifelse(session$clientData$url_port!='', paste0( ":", session$clientData$url_port), '')
                      ,session$clientData$url_pathname
                      , "?", URLencode(query)
    )

Kvit avatar Mar 23 '20 17:03 Kvit