From 5bee54040f7bba8556dbd3ff5160678aed86c30c Mon Sep 17 00:00:00 2001
From: Thadeu Barros <thadeu.barros@dell.com>
Date: Thu, 8 Aug 2024 16:56:31 -0300
Subject: [PATCH 1/2] fix: make issuer url validation follow the same check
 rules as the domain check validation

---
 src/utils.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/utils.ts b/src/utils.ts
index fd388f037..568119aa7 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -234,7 +234,7 @@ export const getTokenIssuer = (
   domainUrl: string
 ) => {
   if (issuer) {
-    return issuer.startsWith('https://') ? issuer : `https://${issuer}/`;
+    return /^https?:\/\//.test(issuer) ? issuer : `https://${issuer}/`;
   }
 
   return `${domainUrl}/`;

From efb23e196ef9eb0c631a1b5bc5998fd5d029f57a Mon Sep 17 00:00:00 2001
From: Thadeu Barros <thadeu.barros@dell.com>
Date: Thu, 8 Aug 2024 17:30:08 -0300
Subject: [PATCH 2/2] test: add unit tests to the getTokenIssuer function

---
 __tests__/utils.test.ts | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/__tests__/utils.test.ts b/__tests__/utils.test.ts
index a1907ebe1..13bc24509 100644
--- a/__tests__/utils.test.ts
+++ b/__tests__/utils.test.ts
@@ -10,7 +10,8 @@ import {
   runIframe,
   urlDecodeB64,
   getCrypto,
-  validateCrypto
+  validateCrypto,
+  getTokenIssuer
 } from '../src/utils';
 
 import { DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS } from '../src/constants';
@@ -493,4 +494,33 @@ describe('utils', () => {
     `);
     });
   });
+
+  describe('getTokenIssuer', () => {
+    it('should add https:// to a non well formed URL', () => {
+      const issuer = getTokenIssuer('www.issuer.com', 'https://www.domain.com');
+      expect(issuer).toBe('https://www.issuer.com/');
+    });
+    it('should not add https:// to a well formed URL with HTTPS protocol', () => {
+      const issuer = getTokenIssuer(
+        'https://www.issuer.com',
+        'https://www.domain.com'
+      );
+      expect(issuer).toBe('https://www.issuer.com');
+    });
+    it('should not add https:// to a well formed URL with HTTP protocol', () => {
+      const issuer = getTokenIssuer(
+        'http://www.issuer.com',
+        'https://www.domain.com'
+      );
+      expect(issuer).toBe('http://www.issuer.com');
+    });
+    it('should return domain when issuer is undefined', () => {
+      const issuer = getTokenIssuer(undefined, 'https://www.domain.com');
+      expect(issuer).toBe('https://www.domain.com/');
+    });
+    it('should return domain when issuer is an empty string', () => {
+      const issuer = getTokenIssuer('', 'https://www.domain.com');
+      expect(issuer).toBe('https://www.domain.com/');
+    });
+  });
 });