fief
fief copied to clipboard
fief-dev
client -> redirect_URI validation flow
Describe the bug
When entering multiple URI via the GUI for a client, only the first entry is validated for https. The validation logic stops at the first entry found that fail the validation. Once the failed entry is fixed, the test pass and doesn't test the other entries.
To Reproduce
- Goto http://fief.localhost/admin/clients/
- Select a Client
- Click Edit Client
- click add redirect_URI to have >1 entries.
- Enter multiple http (not TLS) URI entry (>1) in the client redirect_URI
The system will complain that the first entry is http and not https.
- Modify the first entry to https and submit, the form will pass validation, despite the second entry still set with http.
Expected behavior
Every entries should be tested and should pass validation.
Configuration
- Cloud or self-hosted: Self-hosted
- If self-hosted, Fief version: "0.27.0"
I would argue that forcing https for the callback is cumbersome for development context where everything run on localhost context.
May I suggest a checkbox to disable force https, or a .env variable (please advise if already available)
I can't reproduce the behavior you describe. I've checked and the system does check that every URL are in HTTPS:
Regarding enforcing HTTPS on Redirect URL, we do have an environment variable to disable this behavior: https://docs.fief.dev/self-hosting/environment-variables/#client-redirect-uris
That's odd. I could repeat it multiple time by adding removing field, saving editing and so on.
Surprisingly, the first attempt allowed to have the first entry as https and the other entries as http (I had 4 address total when I tested). Every time, i save and edit, the next http would flag and wouldn't allow to save.
If you don't have this behaviour, and you can't reproduce. Let's just assume some gremlins on my system. I might have something non standard.