Harden OAuth callback postMessage origin and payload encoding

This commit is contained in:
ي
2026-05-11 15:47:59 +05:30
committed by ajaysi
parent 8834a05cf5
commit 11d83e6f86
3 changed files with 173 additions and 154 deletions

View File

@@ -16,6 +16,10 @@ EXA_API_KEY=your_exa_api_key_here
# Frontend URL for OAuth callbacks
FRONTEND_URL=https://alwrity-ai.vercel.app
# Optional comma-separated allowlist of trusted frontend origins used for OAuth callback postMessage targetOrigin.
# If unset, FRONTEND_URL origin is used.
# Example: OAUTH_CALLBACK_ALLOWED_ORIGINS=https://alwrity-ai.vercel.app,http://localhost:3000
OAUTH_CALLBACK_ALLOWED_ORIGINS=
# OAuth Redirect URIs (Using environment variable for flexibility)
GSC_REDIRECT_URI=${FRONTEND_URL}/gsc/callback