Lines 656-696javascript
656 if (target[1] === "/" || target[1] === "\\") return false;
657 if (target.includes("\\")) return false;
658 for (let i = 0; i < target.length; i++) {
659 const code = target.charCodeAt(i);
660 if (code <= 32 || code === 127) return false;
665* Return `requested` when it is a safe same-origin relative redirect, else
666* `fallback`. Used at `/start` (before signing) and re-checked in
667* `oauth-exchange` (before honoring) — defense in depth around the signed
670function resolveOAuthRedirect(requested, fallback) {
671 return isSafeRelativeRedirect(requested) ? requested : fallback;
674//#region src/authz/authz-tokens.ts
676* Explicit string DI tokens for the ABSTRACT authorization-server stores
677* ({@link import("@aooth/auth/authz").PendingAuthorizationStore},
678* {@link import("@aooth/auth/authz").AuthCodeStore}) — the framework-agnostic
MediumDynamic Require
Package source references dynamic require/import behavior.
dist/index.mjsView on unpkg · L676 679* abstracts live in `@aooth/auth/authz`; these moost-DI binding strings stay in
680* the integration layer (the same split as `FEDERATED_IDENTITY_STORE_TOKEN`).
682* Both are abstract classes. moost's constructor injection keys the
683* provide-registry by the design:paramtype class reference — fine for a CONCRETE
684* provided class, but for an abstract paramtype infact falls back to auto-
685* instantiating the body-less abstract class, yielding an object whose methods
686* are missing. Binding under an explicit string token + `@Inject(<token>)`
687* sidesteps the class-reference path (the same pattern as
688* `FEDERATED_IDENTITY_STORE_TOKEN`).
690* Consumers provide the concrete instance under the exact string:
693* createProvideRegistry(
694* [PENDING_AUTHORIZATION_STORE_TOKEN, () => new PendingAuthorizationStoreMemory()],
695* [AUTH_CODE_STORE_TOKEN, () => new AuthCodeStoreMemory()],