Summary
Several pre-existing auth-related bugs identified during review of #124. These are NOT regressions from #124 — they exist on master today.
Bug 1: OAuth auth URL missing encodeURIComponent
File: products/userale/packages/flagon-userale-ext/src/options/auth.tsx (~line 40)
const authUrl = `${issuerUrl}/protocol/openid-connect/auth?` +
`client_id=${clientId}` + // ← NOT URL-encoded
clientId is concatenated directly without encodeURIComponent(). If a client ID contains special characters (&, =, #), it corrupts the OAuth URL and could enable URL parameter injection.
Fix: client_id=${encodeURIComponent(clientId)}
Bug 2: OAuth form missing preventDefault()
File: products/userale/packages/flagon-userale-ext/src/options/auth.tsx
The handleLogin function is async but does not accept or call e.preventDefault(). When used as a form onSubmit handler, the browser will attempt default form submission (page reload) before the async OAuth flow completes.
Fix: Change signature to const handleLogin = async (e: React.FormEvent) => { e.preventDefault(); ... }
Bug 3: Extension STORAGE_KEYS constant out of sync
File: products/userale/packages/flagon-userale-ext/src/utils/storage.ts
After #124, StoredOptions includes apiKey and authMode, but the STORAGE_KEYS constant and DEFAULT_OPTIONS only list accessToken, allowList, loggingUrl. This inconsistency could confuse contributors and break if code relies on STORAGE_KEYS for enumeration.
Fix: Add apiKey, authMode to both STORAGE_KEYS and DEFAULT_OPTIONS.
Bug 4: Extension regex validation on partial updates
File: products/userale/packages/flagon-userale-ext/src/utils/storage.ts (line 60)
export async function setStoredOptions(values: Partial<StoredOptions>) {
try {
new RegExp(values.allowList) // throws if allowList not in partial
new URL(values.loggingUrl) // throws if loggingUrl not in partial
} catch (error) {
return error
}
Validation runs unconditionally on allowList and loggingUrl even when they are not being updated (partial update). new RegExp(undefined) creates a regex matching the string "undefined" (silent wrong behavior), while new URL(undefined) throws.
Note: #124 likely fixes this, but confirm the fix is correct (should only validate fields present in the partial update).
Context
All bugs pre-date #124. Found during security and software engineering review.
Summary
Several pre-existing auth-related bugs identified during review of #124. These are NOT regressions from #124 — they exist on
mastertoday.Bug 1: OAuth auth URL missing
encodeURIComponentFile:
products/userale/packages/flagon-userale-ext/src/options/auth.tsx(~line 40)clientIdis concatenated directly withoutencodeURIComponent(). If a client ID contains special characters (&,=,#), it corrupts the OAuth URL and could enable URL parameter injection.Fix:
client_id=${encodeURIComponent(clientId)}Bug 2: OAuth form missing
preventDefault()File:
products/userale/packages/flagon-userale-ext/src/options/auth.tsxThe
handleLoginfunction isasyncbut does not accept or calle.preventDefault(). When used as a formonSubmithandler, the browser will attempt default form submission (page reload) before the async OAuth flow completes.Fix: Change signature to
const handleLogin = async (e: React.FormEvent) => { e.preventDefault(); ... }Bug 3: Extension
STORAGE_KEYSconstant out of syncFile:
products/userale/packages/flagon-userale-ext/src/utils/storage.tsAfter #124,
StoredOptionsincludesapiKeyandauthMode, but theSTORAGE_KEYSconstant andDEFAULT_OPTIONSonly listaccessToken,allowList,loggingUrl. This inconsistency could confuse contributors and break if code relies onSTORAGE_KEYSfor enumeration.Fix: Add
apiKey,authModeto bothSTORAGE_KEYSandDEFAULT_OPTIONS.Bug 4: Extension regex validation on partial updates
File:
products/userale/packages/flagon-userale-ext/src/utils/storage.ts(line 60)Validation runs unconditionally on
allowListandloggingUrleven when they are not being updated (partial update).new RegExp(undefined)creates a regex matching the string"undefined"(silent wrong behavior), whilenew URL(undefined)throws.Note: #124 likely fixes this, but confirm the fix is correct (should only validate fields present in the partial update).
Context
All bugs pre-date #124. Found during security and software engineering review.