Add a sessionID check
This commit is contained in:
Manav Rathi
@@ -4,7 +4,8 @@
|
||||
|
||||
Data tied to the browser tab's lifetime.
|
||||
|
||||
We store the user's encryption key here.
|
||||
The primary information store in session storage is the user's encryption key
|
||||
here. In addition, various other transient bits and bobs are also kept here.
|
||||
|
||||
## Local Storage
|
||||
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import { nullToUndefined } from "@/utils/transform";
|
||||
import { VerticallyCentered } from "@ente/shared/components/Container";
|
||||
import EnteSpinner from "@ente/shared/components/EnteSpinner";
|
||||
import { fromB64URLSafeNoPaddingString } from "@ente/shared/crypto/internal/libsodium";
|
||||
@@ -24,10 +25,8 @@ const Page: React.FC<PageProps> = () => {
|
||||
const response = searchParams.get("response");
|
||||
if (!response) return;
|
||||
|
||||
saveCredentials(response).then(() => {
|
||||
const redirectURL = InMemoryStore.get(MS_KEYS.REDIRECT_URL);
|
||||
InMemoryStore.delete(MS_KEYS.REDIRECT_URL);
|
||||
router.push(redirectURL ?? PAGES.CREDENTIALS);
|
||||
saveCredentialsAndNavigateTo(response).then((slug: string) => {
|
||||
router.push(slug);
|
||||
});
|
||||
}, []);
|
||||
|
||||
@@ -47,8 +46,10 @@ export default Page;
|
||||
*
|
||||
* @param response The string that is passed as the response query parameter to
|
||||
* us (we're the final "finish" page in the passkey flow).
|
||||
*
|
||||
* @returns the slug that we should navigate to now.
|
||||
*/
|
||||
const saveCredentials = async (response: string) => {
|
||||
const saveCredentialsAndNavigateTo = async (response: string) => {
|
||||
// Decode response string (inverse of the steps we perform in
|
||||
// `passkeyAuthenticationSuccessRedirectURL`).
|
||||
const decodedResponse = JSON.parse(
|
||||
@@ -64,7 +65,25 @@ const saveCredentials = async (response: string) => {
|
||||
//
|
||||
// - The encrypted `encryptedToken` will be present otherwise (i.e. if the
|
||||
// user is signing into an existing account).
|
||||
const { keyAttributes, encryptedToken, token, id } = decodedResponse;
|
||||
const { passkeySessionID, keyAttributes, encryptedToken, token, id } =
|
||||
decodedResponse;
|
||||
|
||||
const inflightPasskeySessionID = nullToUndefined(
|
||||
sessionStorage.getItem("inflightPasskeySessionID"),
|
||||
);
|
||||
if (
|
||||
!passkeySessionID ||
|
||||
!inflightPasskeySessionID ||
|
||||
passkeySessionID != inflightPasskeySessionID
|
||||
) {
|
||||
// This is not the princess we were looking for. However, we have
|
||||
// already entered this castle. Redirect back to home without changing
|
||||
// any state, hopefully this will get the user back to where they were.
|
||||
return "/";
|
||||
}
|
||||
|
||||
sessionStorage.removeItem("inflightPasskeySessionID");
|
||||
|
||||
setData(LS_KEYS.USER, {
|
||||
...getData(LS_KEYS.USER),
|
||||
token,
|
||||
@@ -72,4 +91,8 @@ const saveCredentials = async (response: string) => {
|
||||
id,
|
||||
});
|
||||
setData(LS_KEYS.KEY_ATTRIBUTES, keyAttributes);
|
||||
|
||||
const redirectURL = InMemoryStore.get(MS_KEYS.REDIRECT_URL);
|
||||
InMemoryStore.delete(MS_KEYS.REDIRECT_URL);
|
||||
return redirectURL ?? PAGES.CREDENTIALS;
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user