Update handleRedirect to ensure that it doesn't handle messages from … (

#216) * Update handleRedirect to ensure that it doesn't handle messages from other popup windows
rogebrd · Oct 21, 2021 · a8a39cb · a8a39cb
1 parent dc5b121
commit a8a39cb
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ npm install --save-dev dropbox-oauth-popup
 Or you can use it directly in your browser be including the following tag
 
 ```
-<script src="https://cdn.jsdelivr.net/npm/dropbox-oauth-popup@2.0.1"></script>
+<script src="https://cdn.jsdelivr.net/npm/dropbox-oauth-popup@3.1.0"></script>
 ```
 
 ## License

diff --git a/examples/browser.html b/examples/browser.html
@@ -5,17 +5,20 @@
     <script src="https://cdn.jsdelivr.net/npm/promise-polyfill@7/dist/polyfill.min.js"></script>
     <script src="https://cdnjs.cloudflare.com/ajax/libs/fetch/2.0.3/fetch.js"></script>
     <script src="https://cdn.jsdelivr.net/npm/dropbox/dist/Dropbox-sdk.js"></script>
-    <script src="https://cdn.jsdelivr.net/npm/dropbox-oauth-popup@3.0.0/dist/dropboxPopup.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/dropbox-oauth-popup@3.1.0/dist/dropboxPopup.js"></script>
 </head>
 
 <body>
     <div>
         <h1>Dropbox OAuth Popup Window</h1>
         <p>
-            See the Dropbox OAuth Popup Window in action by clicking the run example button. This example will authenticate with your Dropbox account and use the token to fetch the current account using the `users.getCurrentAccount` endpoint. (Note, nothing is saved,
+            See the Dropbox OAuth Popup Window in action by clicking the run example button. This example will
+            authenticate with your Dropbox account and use the token to fetch the current account using the
+            `users.getCurrentAccount` endpoint. (Note, nothing is saved,
             this is just a demo.)
         </p>
-        <p>See the code on <a href="https://github.com/rogebrd/dropbox-oauth-popup/blob/main/examples/browser.html">GitHub</a></p>
+        <p>See the code on <a
+                href="https://github.com/rogebrd/dropbox-oauth-popup/blob/main/examples/browser.html">GitHub</a></p>
         <button onclick="runAuth()">Run Example</button>
         <p id="result"></p>
         <script>

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "dropbox-oauth-popup",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "registry": "npm",
   "description": "This is a simple addition built onto the Dropbox SDK that allows for OAuth in the browser to be done via a popup window.",
   "homepage": "https://github.com/rogebrd/dropbox-oauth-popup",
@@ -58,4 +58,4 @@
     "front-end",
     "window"
   ]
-}
+}
diff --git a/src/dropboxPopup.js b/src/dropboxPopup.js
@@ -33,9 +33,10 @@ const defaultTimeout = 300000; // 5 minutes
  * @class DropboxPopup
  * @classdesc The DropboxPopup class is to provide a simple popup window to preform OAuth in.
  * @param {object} options
- * @param {string} options.clientId - The client id for your app.
+ * @param {string} options.clientId - [Required] The client id for your app.
  * @param {string} [options.clientSecret] - The client secret for your app.
- * @param {string} [options.redirectUri] - The redirect Uri to return to once auth is complete.
+ * @param {string} [options.redirectUri] - [Required] The redirect Uri to return to once auth is
+ * complete.
  * @param {string} [options.tokenAccessType] - type of token to request.  From the following:
  * legacy - creates one long-lived token with no expiration
  * online - create one short-lived token with an expiration
@@ -110,6 +111,10 @@ export default class DropboxPopup {
        * @returns {void}
        */
       function handleRedirect(event) {
+        if (event.source !== popup) {
+          return;
+        }
+
         window.removeEventListener('message', popup.handleRedirect);
 
         const { data } = event;