From 2e0a4474aae3f45e0d11e0b18ddafb95fca0b1df Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Sat, 4 Apr 2026 19:14:10 +0530
Subject: [PATCH] fix(security): encode redirect_uri, limit state payload, fix
 iframe timeout in authorizer-js

---
 src/index.ts | 14 +++++++-------
 src/utils.ts |  1 +
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index 938139e..aa10b5e 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -116,8 +116,8 @@ export class Authorizer {
       if (err.error) {
         window.location.replace(
           `${this.config.authorizerURL}/app?state=${encode(
-            JSON.stringify(this.config),
-          )}&redirect_uri=${this.config.redirectURL}`,
+            JSON.stringify({ clientID: this.config.clientID, redirectURL: this.config.redirectURL, authorizerURL: this.config.authorizerURL }),
+          )}&redirect_uri=${encodeURIComponent(this.config.redirectURL || '')}`,
         );
       }
 
@@ -142,8 +142,8 @@ export class Authorizer {
 
       window.location.replace(
         `${this.config.authorizerURL}/app?state=${encode(
-          JSON.stringify(this.config),
-        )}&redirect_uri=${this.config.redirectURL}`,
+          JSON.stringify({ clientID: this.config.clientID, redirectURL: this.config.redirectURL, authorizerURL: this.config.authorizerURL }),
+        )}&redirect_uri=${encodeURIComponent(this.config.redirectURL || '')}`,
       );
       return this.errorResponse(err);
     }
@@ -350,9 +350,9 @@ export class Authorizer {
     if (roles && roles.length) urlState += `&roles=${roles.join(',')}`;
 
     window.location.replace(
-      `${this.config.authorizerURL}/oauth_login/${oauthProvider}?redirect_uri=${
-        redirect_uri || this.config.redirectURL
-      }&state=${urlState}`,
+      `${this.config.authorizerURL}/oauth_login/${oauthProvider}?redirect_uri=${encodeURIComponent(
+        redirect_uri || this.config.redirectURL || ''
+      )}&state=${encodeURIComponent(urlState)}`,
     );
   };
 
diff --git a/src/utils.ts b/src/utils.ts
index c0a2565..966851d 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -124,6 +124,7 @@ export const executeIframe = (
     };
 
     const timeoutSetTimeoutId = setTimeout(() => {
+      reject(new Error('Authorization timeout'));
       removeIframe();
     }, timeoutInSeconds * 1000);