Narrow the scope of the local server handler

mislav · mislav · commit bbeb558fce0b · 2020-01-13T20:14:00.000+01:00
Before, the local server handled any request regardless of path, which
could potentially include requests generated by the browser such as the
one for favicon. This could lead to race conditions around reading the
code to continue to OAuth flow with.

Now, have the OAuth flow redirect to `localhost:PORT/callback` and only
handle `/callback` requests specifically.
diff --git a/auth/oauth.go b/auth/oauth.go
@@ -46,7 +46,7 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
 
 	q := url.Values{}
 	q.Set("client_id", oa.ClientID)
-	q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d", port))
+	q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d/callback", port))
 	q.Set("scope", "repo")
 	q.Set("state", state)
 
@@ -57,6 +57,10 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
 	}
 
 	http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/callback" {
+			w.WriteHeader(404)
+			return
+		}
 		defer listener.Close()
 		rq := r.URL.Query()
 		if state != rq.Get("state") {
