libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Limit requests sent through session status iframe (#132) (#28864)

Browse source 
Closes #116

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
This commit is contained in:
Stian Thorgersen 2024-04-18 14:02:37 +02:00 committed by GitHub
parent 2c069433f9
commit cbc4a8c305
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
services/src/main/resources/org/keycloak/protocol/oidc/endpoints/login-status-iframe.html
View file

@ -28,6 +28,7 @@
} }
let init; let init;
let preventAdditionalRequests = false;
async function checkState(clientId, origin, sessionState) { async function checkState(clientId, origin, sessionState) {
// Check if the browser has granted us access to 3rd-party storage (such as cookies). // Check if the browser has granted us access to 3rd-party storage (such as cookies).
@ -41,6 +42,13 @@
// If not initialized, verify this client is allowed access with a call to the server. // If not initialized, verify this client is allowed access with a call to the server.
if (!init) { if (!init) {
// Prevent additional requests to the server to avoid potential DoS attacks.
if (preventAdditionalRequests) {
return "error";
} else {
preventAdditionalRequests = true;
}
const url = new URL(`${location.origin}${location.pathname}/init`); const url = new URL(`${location.origin}${location.pathname}/init`);
url.searchParams.set("client_id", clientId); url.searchParams.set("client_id", clientId);