From 6ce042d695a741d41ecc472e832be3c2cb46fc61 Mon Sep 17 00:00:00 2001
From: julien mounier <julien.mounier@doctolib.com>
Date: Tue, 30 Apr 2024 18:11:13 +0200
Subject: [PATCH] fix(oidc): ensure Origin can be set on call to IDPs

---
 packages/core/src/Network/Client.ts | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/packages/core/src/Network/Client.ts b/packages/core/src/Network/Client.ts
index d1036a38..11847a69 100644
--- a/packages/core/src/Network/Client.ts
+++ b/packages/core/src/Network/Client.ts
@@ -104,12 +104,17 @@ export class Client {
   // Simple _fetch wrapper with:
   //   - proper headers set (sdk info and authorization)
   //   - generic error handling
-  _baseApiCall = async (path: string, authenticated: boolean, init?: RequestInit): Promise<any> => {
-    try {
-      if (!path || path[0] !== '/') {
-        throw new InvalidArgument('"path" should be non empty and start with "/"');
-      }
+  _baseApiCall = (path: string, authenticated: boolean, init?: RequestInit): Promise<any> => {
+    if (!path || path[0] !== '/') {
+      throw new InvalidArgument('"path" should be non empty and start with "/"');
+    }
+    const url = `${this._apiEndpoint}${this._apiRootPath}${path}`;
 
+    return this._basehttpCall(url, authenticated, init);
+  };
+
+  _basehttpCall = async (url: string, authenticated: boolean, init?: RequestInit): Promise<any> => {
+    try {
       const headers = (init?.headers ? init.headers : {}) as Record<string, string>;
       headers['X-Tanker-Instanceid'] = this._instanceId;
       headers['X-Tanker-Sdktype'] = this._sdkType;
@@ -119,7 +124,6 @@ export class Client {
         headers['Authorization'] = `Bearer ${this._accessToken}`; // eslint-disable-line dot-notation
       }
 
-      const url = `${this._apiEndpoint}${this._apiRootPath}${path}`;
 
       const response = await this._fetch(url, { ...init, headers });
 
@@ -448,11 +452,20 @@ export class Client {
   };
 
   oidcSignIn = async (oidcProviderId: string): Promise<OidcAuthorizationCodeVerification> => {
-    const { code, state } = await this._baseApiCall(
+    const resp = await this._baseApiCall(
       `/oidc/${oidcProviderId}/signin?user_id=${urlize(this._userId)}`,
       false,
       { credentials: 'include' },
     );
+
+    const { location } = resp;
+
+    const { code, state } = await this._basehttpCall(
+      location,
+      false,
+      { credentials: 'include' },
+    );
+
     return {
       oidcProviderId,
       oidcAuthorizationCode: code,